LOG4J Version in MapStore

28 views

Skip to first unread message

Assigned to lorenzo...@geosolutionsgroup.com by me

Michael Steigemann

unread,

Dec 13, 2021, 1:56:45 PM12/13/21

to mapstore-developers

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see Mapstore 2020.02.00 uses Log4J Version 1 log4j-1.2.14.jar / log4j-1.2.16.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: "...Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes...." (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in Mapstore?

Thanks for your short feedback and all the best,

Michael

Lorenzo Natali

unread,

Dec 14, 2021, 12:55:40 PM12/14/21

to mapstore-developers

Hi,

here our official statement about the lof4jshell vulnerability

https://www.geosolutionsgroup.com/blog/geosolutions-lo4shell/

We are going to replace the log4j with a custom version that doesn't contain the classes involved in minor vulnerabilities (that anyway are not used by default), waiting for a future update to version 2.

Michael Steigemann

unread,

Dec 14, 2021, 2:57:45 PM12/14/21

to mapstore-developers

Hello Lorenzo!

Thanks for your feedback and all the best,

Michael

Reply all

Reply to author

Forward

0 new messages