Page 1 of 1

Apache Log4j Security Vulnerabilities

Posted: Mon Dec 13, 2021 7:38 am
by mwdazzo
We are running zos2.4 with Tomcat/8.5.6, there is an Apache Log4j vulnerability issued for users of log4j 2.0 or later. How do I find out if I have log4j version 2.0 or later? Thanks Matt

https://logging.apache.org/log4j/2.x/security.html

Re: Apache Log4j Security Vulnerabilities

Posted: Mon Dec 13, 2021 7:41 am
by mwdazzo
Here is the log4j file.

### direct log messages to stdout ###
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

#### This appender writes all log statements with
log4j.appender.vertexproxy.name=vertexproxy
log4j.appender.vertexproxy=org.apache.log4j.RollingFileAppender

#v6 production
#log4j.appender.vertexproxy.File=/u/vertexproxy/logs/debug.log
#current test
#log4j.appender.vertexproxy.File=/u01/vertexproxy/logs/debug.log
#v8 production
log4j.appender.vertexproxy.File=/u/tcv8/vertexproxy/logs/debug.log

log4j.appender.vertexproxy.layout=org.apache.log4j.PatternLayout
log4j.appender.vertexproxy.layout.ConversionPattern=%d %p [%c{1}.%M]:%t: - %m%n
# Control the maximum log file size
log4j.appender.vertexproxy.MaxFileSize=5000KB
# Archive log files (one backup file here)
log4j.appender.vertexproxy.MaxBackupIndex=10

### set log levels - for more verbose logging change 'info' to 'debug' ###

log4j.rootLogger=info, vertexproxy, stdout

log4j.logger.org.springframework.web.servlet.mvc=info

Re: Apache Log4j Security Vulnerabilities

Posted: Tue Dec 14, 2021 1:58 pm
by dovetail
We are not aware that Tomcat distributes log4j.
We have also not added log4j to our version of the Tomcat distribution.
This does not say that your site has not added log4j to Tomcat either in the base classpath or in one of your webapps.

If you have concerns about your own potential use of log4j, you should follow the advice on the Apache website.