NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello all, The following message was sent out by the developers for Tomcat a few days ago. It appears that only 8.0.x and some 8.5.x versions of tomcat use log4j as a default. While current versions do have the capability to utilize log4j, *this is not enabled by default* and Tomcat must be configured to allow log4j use. I'm not sure if any of the above situations apply to you, but if you are using a current version of Tomcat "out-of-the-box" you should be fine. We will post any relevant follow up information to this list as we receive it. Please let us know if you have any questions ( thredds-support@xxxxxxxxxxxxxxxx). Kind regards, THREDDS development team > Mark Thomas <markt@xxxxxxxxxx> Tue, Dec 14, 2:52 AM (4 days ago) > > to Tomcat, Tomcat, announce@xxxxxxxxxxxxxxxxx, announce > The following represents the current understanding of the Apache Tomcat > security team at the time this announcement was issued. There is a lot > of security research being focussed on log4j2 at the moment and it is > probable that additional information will emerge. > Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) > have no dependency on any version of log4j. > Web applications deployed on Tomcat may have a dependency on log4j. You > should seek support from your application vendors on how best to address > this vulnerability. > Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x > (8.5.3 and earlier) provided optional support for switching Tomcat's > internal logging to log4j 1.x. Anyone one using these very old (5+ > years), unsupported versions of Tomcat that switched to using log4j 1.x > may need to address this vulnerability as log4j 1.x may be affected in > some (probably rarely used) configurations. Regardless, they'll need to > address the Tomcat vulnerabilities that have been made public in those > 5+ years. > It is possible to configure Tomcat to use log4j 2.x for Tomcat's > internal logging. This requires explicit configuration and the addition > of the log4j 2.x library. Anyone who has switched Tomcat's internal > logging to log4j 2.x is likely to need to address this vulnerability. > In most cases, disabling the problematic feature will be the simplest > solution. Exactly how to do that depends on the exact version of log4j2 > being used. Details are provided on the log4j2 security page [1]. > If not already subscribed, you may wish to follow the ASF announcements > mailing list [2] where any significant updates from the logging project > will be posted. > If you have any questions regarding this issue or how to mitigate it, > please direct them to the Apache Tomcat Users mailing list [3]. > The Apache Tomcat Security Tea > [1] https://logging.apache.org/log4j/2.x/security.html > [2] > https://www.apache.org/foundation/mailinglists.html#foundation-announce > [3] https://tomcat.apache.org/lists.html#tomcat-users
thredds archives: