Mark,
Adding that the below message also applies for both CVE-2021-45046 and
CVE-2021-4104 as well as the originally-mentioned 2021-44228, for
completeness.
-chris
On 12/14/21 04:51, Mark Thomas wrote:
The following represents the current understanding of the Apache Tomcat
security team at the time this announcement was issued. There is a lot
of security research being focussed on log4j2 at the moment and it is
probable that additional information will emerge.
Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x)
have no dependency on any version of log4j.
Web applications deployed on Tomcat may have a dependency on log4j. You
should seek support from your application vendors on how best to address
this vulnerability.
Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x
(8.5.3 and earlier) provided optional support for switching Tomcat's
internal logging to log4j 1.x. Anyone one using these very old (5+
years), unsupported versions of Tomcat that switched to using log4j 1.x
may need to address this vulnerability as log4j 1.x may be affected in
some (probably rarely used) configurations. Regardless, they'll need to
address the Tomcat vulnerabilities that have been made public in those
5+ years.
It is possible to configure Tomcat to use log4j 2.x for Tomcat's
internal logging. This requires explicit configuration and the addition
of the log4j 2.x library. Anyone who has switched Tomcat's internal
logging to log4j 2.x is likely to need to address this vulnerability.
In most cases, disabling the problematic feature will be the simplest
solution. Exactly how to do that depends on the exact version of log4j2
being used. Details are provided on the log4j2 security page [1].
If not already subscribed, you may wish to follow the ASF announcements
mailing list [2] where any significant updates from the logging project
will be posted.
If you have any questions regarding this issue or how to mitigate it,
please direct them to the Apache Tomcat Users mailing list [3].
The Apache Tomcat Security Team
[1] https://logging.apache.org/log4j/2.x/security.html
[2] https://www.apache.org/foundation/mailinglists.html#foundation-announce
[3] https://tomcat.apache.org/lists.html#tomcat-users
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
