Geoserver - Replacing log4j 1.2.17 with 2.15.0?

Question

I have a geoserver on my webserver that uses log4j v 1.2.17 (log4j-1.2.17.jar).

I've downloaded the latest (safe?) version (2.15.0) from the log4j download site and checksummed the download.

I'm now confused as to which .jar I should try and use?

The version on my website is called log4j-1.2.17.jar, but the .jars in the download are all called something like e.g. log4j-web-2.15.0.jar

The geoserver's web server is jetty if that makes any difference.

What to do?

Answer 1

There are significant changes in the way logging is done in the switch from log4j v1 (the one GeoServer uses) and log4j v2 (the one with the latest CVE). While GeoServer is immune to the RCE vulnerability mentioned in the question, there are still some small risks in using the old (and EOL) version we do use.

So as a temporary mitigation Andrea Aime has made a fork of the current log4j v1 trunk removing the network elements that might be abused by an attacker that has access to your GeoServer machine. See https://github.com/aaime/log4j for the tree you will need to clone and build. This will generate a new jar called log4j-1.2.17-norce.jar which you should replace log4j-1.2.17.jar with. You can now download that jar prebuilt from https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17/log4j-1.2.17-norce.jar

If you make use of GeoServer then you might like to contribute to the developers (or via the OSGEO foundation) to help support the work involved in reducing the technical debt of the project like updating the logging library.

Answer 2

There is a way to deactivate the log4j logging:

https://docs.geoserver.org/stable/en/user/configuration/logging.html

[Updated] https://osgeo-org.atlassian.net/browse/GEOS-10333