Apache Log4j Security Vulnerabilities

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
mwdazzo
Posts: 55
Joined: Fri Jan 07, 2011 10:02 am

Apache Log4j Security Vulnerabilities

Post by mwdazzo »

We are running zos2.4 with Tomcat/8.5.6, there is an Apache Log4j vulnerability issued for users of log4j 2.0 or later. How do I find out if I have log4j version 2.0 or later? Thanks Matt

https://logging.apache.org/log4j/2.x/security.html
mwdazzo
Posts: 55
Joined: Fri Jan 07, 2011 10:02 am

Re: Apache Log4j Security Vulnerabilities

Post by mwdazzo »

Here is the log4j file.

### direct log messages to stdout ###
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

#### This appender writes all log statements with
log4j.appender.vertexproxy.name=vertexproxy
log4j.appender.vertexproxy=org.apache.log4j.RollingFileAppender

#v6 production
#log4j.appender.vertexproxy.File=/u/vertexproxy/logs/debug.log
#current test
#log4j.appender.vertexproxy.File=/u01/vertexproxy/logs/debug.log
#v8 production
log4j.appender.vertexproxy.File=/u/tcv8/vertexproxy/logs/debug.log

log4j.appender.vertexproxy.layout=org.apache.log4j.PatternLayout
log4j.appender.vertexproxy.layout.ConversionPattern=%d %p [%c{1}.%M]:%t: - %m%n
# Control the maximum log file size
log4j.appender.vertexproxy.MaxFileSize=5000KB
# Archive log files (one backup file here)
log4j.appender.vertexproxy.MaxBackupIndex=10

### set log levels - for more verbose logging change 'info' to 'debug' ###

log4j.rootLogger=info, vertexproxy, stdout

log4j.logger.org.springframework.web.servlet.mvc=info
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Apache Log4j Security Vulnerabilities

Post by dovetail »

We are not aware that Tomcat distributes log4j.
We have also not added log4j to our version of the Tomcat distribution.
This does not say that your site has not added log4j to Tomcat either in the base classpath or in one of your webapps.

If you have concerns about your own potential use of log4j, you should follow the advice on the Apache website.
Post Reply