Remove unused log4j jar file from distribution #482
Description
The topcat war file in the distribution zip file contains the log4j (version 1) jar file. Whilst not as serious as the original exploit on log4j version 2, there have since been a few flaws found in version 1. The latest of these was related to the "chainsaw" functionality it contains.
I don't understand why the log4j jar file is in the final distribution at all because it is a dependency of one of the test dependencies but anyway it is there and should be removed to be completely safe. TopCAT does not use this for logging as it uses logback.
It is unlikely that a new version of TopCAT will be released because it is currently being replaced by DataGateway, so for now the mitigation for this is to remove the log4j jar file from the war file and then redeploy TopCAT.
To do this:
- Navigate to the directory where the TopCAT distribution zip file was unzipped
- Run the following command to remove the log4j jar file from the topcat war file
zip -d topcat-2.4.8.war WEB-INF/lib/log4j-1.2.13.jar - Redeploy TopCAT with
./setup install