This repository has been archived by the owner on Jun 16, 2022. It is now read-only.

Apache Tomcat not vulnerable? #106

Closed

delgurth opened this issue Dec 13, 2021 · 0 comments

Labels

software

delgurth commented Dec 13, 2021

In the list it says Apache Tomcat is vulnerable. But looking at the source, Tomcat is not mentioned.

Log4j says that you need to add log4j2 to tomcat in order for it to work. So a default tomcat does not have log4j2.

This is also pointed out in the Tomcat documentation itself:

The internal logging for Apache Tomcat uses JULI, a packaged renamed fork of Apache Commons Logging that is hard-coded to use the java.util.logging framework. This ensures that Tomcat's internal logging and any web application logging will remain independent, even if a web application uses Apache Commons Logging.

pbeij added the software label

rkokkelk closed this as completed in

c26ee5f

This issue was closed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.