[thredds] Apache Tomcat and Log4j vulnerability

Hello all,

The following message was sent out by the developers for Tomcat a few days

It appears that only 8.0.x and some 8.5.x versions of tomcat use log4j as a
default.  While current versions do have the capability to utilize log4j, *this
is not enabled by default* and Tomcat must be configured to allow log4j use.

I'm not sure if any of the above situations apply to you, but if you are
using a current version of Tomcat "out-of-the-box" you should be fine.

We will post any relevant follow up information to this list as we receive

Please let us know if you have any questions (

Kind regards,
THREDDS development team

> Mark Thomas <markt@xxxxxxxxxx>

Tue, Dec 14, 2:52 AM (4 days ago)
> to Tomcat, Tomcat, announce@xxxxxxxxxxxxxxxxx, announce
The following represents the current understanding of the Apache Tomcat
> security team at the time this announcement was issued. There is a lot
> of security research being focussed on log4j2 at the moment and it is
> probable that additional information will emerge.

> Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x)
> have no dependency on any version of log4j.

> Web applications deployed on Tomcat may have a dependency on log4j. You
> should seek support from your application vendors on how best to address
> this vulnerability.

> Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x
> (8.5.3 and earlier) provided optional support for switching Tomcat's
> internal logging to log4j 1.x. Anyone one using these very old (5+
> years), unsupported versions of Tomcat that switched to using log4j 1.x
> may need to address this vulnerability as log4j 1.x may be affected in
> some (probably rarely used) configurations. Regardless, they'll need to
> address the Tomcat vulnerabilities that have been made public in those
> 5+ years.

> It is possible to configure Tomcat to use log4j 2.x for Tomcat's
> internal logging. This requires explicit configuration and the addition
> of the log4j 2.x library. Anyone who has switched Tomcat's internal
> logging to log4j 2.x is likely to need to address this vulnerability.

> In most cases, disabling the problematic feature will be the simplest
> solution. Exactly how to do that depends on the exact version of log4j2
> being used. Details are provided on the log4j2 security page [1].

> If not already subscribed, you may wish to follow the ASF announcements
> mailing list [2] where any significant updates from the logging project
> will be posted.

> If you have any questions regarding this issue or how to mitigate it,
> please direct them to the Apache Tomcat Users mailing list [3].

> The Apache Tomcat Security Tea

> [1] https://logging.apache.org/log4j/2.x/security.html

> [2]
> https://www.apache.org/foundation/mailinglists.html#foundation-announce

> [3] https://tomcat.apache.org/lists.html#tomcat-users
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: