I hope this helps https://lists.apache.org/thread/m3bhytsh3yrhsxvo98vcyx4q6w0m1d4v
On Fri, Jan 28, 2022, 9:58 AM Tim Funk <funk...@apache.org> wrote: > Out of the box, no version of Apache Tomcat uses any log4j version. > > If log4j is used, it is by a specific application (not provided by the ASF) > deployed to Tomcat. (Or an admin changed the default install to add it) > > -Tim > > On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21 > <samuel.anderson-burr...@cloud21.net.invalid> wrote: > > > Good Afternoon Apache > > Hope your well, my name is Samuel I work for a Security firm Cloud 21 and > > we have been working with a client who uses your software in particular > > Tomcat. > > We are looking to see if there is a security patch against log4j. The > > version they are using is tomcat 7, checking your dedicated page for > Tomcat > > version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities< > > > https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities > > > > there does not appear to be an article to patch against it. > > Forgive me if I'm not looking in the correct area if there is one please > > could you point me in the right direct. I did try and email your security > > mailbox but received an automated message back saying that I needed to be > > on the subscribed list which I have attempted to subscribed too but I > have > > not had a response back yet. > > > > >
