Further, Apache Tomcat 7 reached end of life as of 31 March 2021 and is
no longer supported by this community.
This means we no longer assess Tomcat 7 against reported security
vulnerabilities so even if your client is running the latest Tomcat 7
version available, 7.0.109, there have been a number of security
vulnerabilities reported since that that Tomcat 7 is likely to be
exposed to.
Your client needs to update to at least the latest 8.5.x release and
should strongly consider updating to the latest 9.0.x release.
Mark
On 28/01/2022 15:57, Tim Funk wrote:
Out of the box, no version of Apache Tomcat uses any log4j version.
If log4j is used, it is by a specific application (not provided by the ASF)
deployed to Tomcat. (Or an admin changed the default install to add it)
-Tim
On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21
<samuel.anderson-burr...@cloud21.net.invalid> wrote:
Good Afternoon Apache
Hope your well, my name is Samuel I work for a Security firm Cloud 21 and
we have been working with a client who uses your software in particular
Tomcat.
We are looking to see if there is a security patch against log4j. The
version they are using is tomcat 7, checking your dedicated page for Tomcat
version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities<
https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities>
there does not appear to be an article to patch against it.
Forgive me if I'm not looking in the correct area if there is one please
could you point me in the right direct. I did try and email your security
mailbox but received an automated message back saying that I needed to be
on the subscribed list which I have attempted to subscribed too but I have
not had a response back yet.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
