On 10/12/2021 22:17, James H. H. Lampert wrote:
A customer brought this to my attention:
https://www.randori.com/blog/cve-2021-44228/
I have no idea how (or if) Tomcat is affected. I have only the vaguest
idea what this vulnerability even *is.*
Can anybody here shed any light?
Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x)
have no dependency on log4j.
Applications may have a dependency on log4j. You should seek support
from your application vendors on how best to address this vulnerability
although disabling the vulnerable feature is likely to be the simplest
solution.
Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x
provided optional support for switching Tomcat's internal logging to
log4j 1.x. Anyone one using these very old (5+ years), unsupported
versions that switched to using log4j 1.x is may need to address this
vulnerability although it is not clear if log4j 1.x is affected.
Regardless, they'll need to address the Tomcat vulnerabilities that have
been made public in those 5+ years.
It is possible to configure Tomcat to use log4j 2.x for its internal
logging. This requires explicit configuration and the addition of the
log4j 2.x library. Anyone who has switched Tomcat's internal logging to
log4j 2.x is likely to need to address this vulnerability. Again,
disabling the vulnerable feature is likely to be the simplest solution.
As Jon McAlexander has pointed out, adding the following to
CATALINA_OPTS in setenv.sh / setenv.bat will disable the problematic feature
-Dlog4j2.formatMsgNoLookups=true
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
