stating that the presence of tomcat alone would
open up another attack vector through log4j2.
Best regards,
David
-Original Message-
From: Juri Berlanda
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time
Hi,
we were affected - we use an AccessLogValve, which logs to Log4j2 and we
use Log4j as java.util.logging LogManager. We already patched, but only
on Saturday.
In any case: in a lot of places I saw "recent JRE versions have a
mitigation in place", but I can't seem to find which JRE version
d solution.
Cheers,
Juri
On 11/27/19 1:08 PM, Mark Thomas wrote:
On 26/11/2019 21:22, Juri Berlanda wrote:
Hi,
I never built Tomcat from source, but I guess there is a first time for
everything :-)
I'm out of office tomorrow, but I will give it a shot on Thursday and
let you know how it went. W
On 26/11/2019 16:35, Mark Thomas wrote:
On 25/11/2019 19:17, Juri Berlanda wrote:
Hi all,
I post my Stacktrace again, as I mistakenly previously only sent it to
Rémy Maucherat.
I'll try to make it as short as possible:
Maybe a cariation of:
https://bz.apache.org/bugzilla/show_bug.cgi?id=
s not seem to be an endless recursion, as it seems to escape,
but it seems to be to late and to deep in the stack. I'm really not sure
what to make of this.
Cheers,
Juri
On 11/25/19 5:01 PM, Rémy Maucherat wrote:
On Mon, Nov 25, 2019 at 3:03 PM Juri Berlanda
wrote:
Hi all,
ok, I'
Hi all,
I just tried to deploy my WebApplication (OpenWebBeans, MyFaces) to
Tomcat 9.0.29. While everything works fine in 9.0.27, on 9.0.29 as soon
as I access any page I get:
25-Nov-2019 14:01:34.842 SEVERE [http-nio-8080-exec-4]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.
