I understand that the GeoTools/Geoserver community has made a fix to address the JMSAppender vulnerability: log4j-1.2.17.norce.jar
https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar
But there also an older vulnerability https://nvd.nist.gov/vuln/detail/CVE-2019-17571
that says:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. "
Does this affect Geoserver?
Regard,
Ron
On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. daniel.calliess@anonymised.com wrote:
Hi,
please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration!
From the log4j project website:
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
Regards
Daniel
From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@lists.sourceforge.net]
Sent: Monday, December 13, 2021 7:53 PM
To: GeoServer Mailing List List geoserver-users@anonymised.come.net
Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer
Hello!
I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: “…Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes…” (https://logging.apache.org/log4j/2.x/security.html)
Are there any plans of integrating log4j Version 2 in GeoServer?
Thanks for your short feedback and all the best,
Michael
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this list:
If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users