Wednesday, 15 December 2021

MapGuide and log4shell

The log4shell vulnerability has been making the rounds across the tech space and since MapGuide has Java support, I did a check of our MGOS 3.1.2 and current 4.0 preview installation layouts to see if MapGuide is affected.

MapGuide's Java support comes in the form of:

  • Bundling the Apache Tomcat web server
  • Providing a Java language binding to the MapGuide API in the form of a consumable jar archive.
None of these components carry log4j as a dependency. No log4j jar archives are present in any MGOS installation.

Therefore, you are not affected by log4shell. Everything is good!

Naturally, if your Java-based MapGuide application running on top carries the log4j dependency, you should check if the version you're consuming is affected by log4shell and upgrade that dependency to a non-vulnerable version.

No comments: