The log4shell vulnerability has been making the rounds across the tech space and since MapGuide has Java support, I did a check of our MGOS 3.1.2 and current 4.0 preview installation layouts to see if MapGuide is affected.
MapGuide's Java support comes in the form of:
- Bundling the Apache Tomcat web server
- Providing a Java language binding to the MapGuide API in the form of a consumable jar archive.
None of these components carry log4j as a dependency. No log4j jar archives are present in any MGOS installation.
Therefore, you are not affected by log4shell. Everything is good!
Naturally, if your Java-based MapGuide application running on top carries the log4j dependency, you should check if the version you're consuming is affected by log4shell and upgrade that dependency to a non-vulnerable version.
No comments:
Post a Comment