You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The topcat war file in the distribution zip file contains the log4j (version 1) jar file. Whilst not as serious as the original exploit on log4j version 2, there have since been a few flaws found in version 1. The latest of these was related to the "chainsaw" functionality it contains.
I don't understand why the log4j jar file is in the final distribution at all because it is a dependency of one of the test dependencies but anyway it is there and should be removed to be completely safe. TopCAT does not use this for logging as it uses logback.
It is unlikely that a new version of TopCAT will be released because it is currently being replaced by DataGateway, so for now the mitigation for this is to remove the log4j jar file from the war file and then redeploy TopCAT.
To do this:
Navigate to the directory where the TopCAT distribution zip file was unzipped
Run the following command to remove the log4j jar file from the topcat war file zip -d topcat-2.4.8.war WEB-INF/lib/log4j-1.2.13.jar
Redeploy TopCAT with ./setup install
The text was updated successfully, but these errors were encountered:
The topcat war file in the distribution zip file contains the log4j (version 1) jar file. Whilst not as serious as the original exploit on log4j version 2, there have since been a few flaws found in version 1. The latest of these was related to the "chainsaw" functionality it contains.
I don't understand why the log4j jar file is in the final distribution at all because it is a dependency of one of the test dependencies but anyway it is there and should be removed to be completely safe. TopCAT does not use this for logging as it uses logback.
It is unlikely that a new version of TopCAT will be released because it is currently being replaced by DataGateway, so for now the mitigation for this is to remove the log4j jar file from the war file and then redeploy TopCAT.
To do this:
zip -d topcat-2.4.8.war WEB-INF/lib/log4j-1.2.13.jar./setup installThe text was updated successfully, but these errors were encountered: