[SECURITY] Apache Tomcat and CVE-2021-44228 (Log4j vulnerability)

2021-12-14 Thread Mark Thomas 
The following represents the current understanding of the Apache Tomcat 
security team at the time this announcement was issued. There is a lot 
of security research being focussed on log4j2 at the moment and it is 
probable that additional information will emerge.


Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on any version of log4j.


Web applications deployed on Tomcat may have a dependency on log4j. You 
should seek support from your application vendors on how best to address 
this vulnerability.


Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
(8.5.3 and earlier) provided optional support for switching Tomcat's 
internal logging to log4j 1.x. Anyone one using these very old (5+ 
years), unsupported versions of Tomcat that switched to using log4j 1.x 
may need to address this vulnerability as log4j 1.x may be affected in 
some (probably rarely used) configurations. Regardless, they'll need to 
address the Tomcat vulnerabilities that have been made public in those 
5+ years.


It is possible to configure Tomcat to use log4j 2.x for Tomcat's 
internal logging. This requires explicit configuration and the addition 
of the log4j 2.x library. Anyone who has switched Tomcat's internal 
logging to log4j 2.x is likely to need to address this vulnerability.


In most cases, disabling the problematic feature will be the simplest 
solution. Exactly how to do that depends on the exact version of log4j2 
being used. Details are provided on the log4j2 security page [1].


If not already subscribed, you may wish to follow the ASF announcements 
mailing list [2] where any significant updates from the logging project 
will be posted.


If you have any questions regarding this issue or how to mitigate it, 
please direct them to the Apache Tomcat Users mailing list [3].


The Apache Tomcat Security Team


[1] https://logging.apache.org/log4j/2.x/security.html

[2] https://www.apache.org/foundation/mailinglists.html#foundation-announce

[3] https://tomcat.apache.org/lists.html#tomcat-users

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Tomcat 8.5.74

2021-12-14 Thread Christopher Schultz 

All,

Apologies for not matching the release-cadence of Tomcat 10.x and 9.x 
this month. I will try to begin the process later today. If anyone wants 
to get anything in before the release, please let me know and I'll hold 
off a little.


Thanks for your patience.

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch 10.0.x updated: Add change log entry for BZ 65724

2021-12-14 Thread Rainer Jung 



Minor typo in changelog, probably all branches noted below.

Am 06.12.2021 um 09:40 schrieb ma...@apache.org:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
  new c2d4bc0  Add change log entry for BZ 65724
c2d4bc0 is described below

commit c2d4bc06285fbfcb1f5b26305dbf18e0c77486f0
Author: Mark Thomas 
AuthorDate: Mon Dec 6 08:40:01 2021 +

 Add change log entry for BZ 65724
---
  webapps/docs/changelog.xml | 9 +
  1 file changed, 9 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3e74120..182e714 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
issues do not "pop up" wrt. others).
  -->
  
+  
+
+  
+65724: Fix missing messages for some
+PropertyNotWtriableExceptions caused by a typo in the name


s/Wtriable/Writable/


+used for a resource string. (markt)
+  
+
+  
  
  



Thanks and regards,

Rainer

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org