Hello, I see the following pom.xml files:
./dspace-api/pom.xml ./dspace-oai/pom.xml ./dspace-rdf/pom.xml ./dspace-rest/pom.xml ./dspace-server-webapp/pom.xml ./dspace-services/pom.xml ./dspace-sword/pom.xml ./dspace-swordv2/pom.xml ./dspace/modules/additions/pom.xml ./dspace/modules/pom.xml ./dspace/modules/rest/pom.xml ./dspace/modules/server/pom.xml ./dspace/pom.xml ./pom.xml But none in /src/pom.xml. Which file ist the correct one for the fix? Kind regards, Mirko Grothe Tim Donohue schrieb am Freitag, 10. Dezember 2021 um 17:09:43 UTC+1: > All, > > As many of you may have seen, a critical vulnerability has been discovered > in log4j and announced in the last day. Details are at: > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > If you are running DSpace 6.x or below, you are *not* be impacted by > this vulnerability, as DSpace 6.x and below still rely on log4j v1 (and > they don't use the JMS Appender which is where the vulnerability can be > exploited with log4j v1). > > *If you are running DSpace 7.x, YOU MAY BE IMPACTED. * A few possible > known quick fixes are available. > > - (Code level fix) In the source code of the DSpace backend (REST > API), update the <log4j.version> tag in your [src]/pom.xml to say > "2.15.0". Rebuild the backend (mvn clean package) & redeploy (ant update) > and restart Tomcat. You are now on a protected version of log4j v2. > (This fix will also be provided in the upcoming DSpace 7.2 release in > Feb, > 2022.) > - (Java upgrade) Ensure you are running the latest version of the JDK > (Java). It is reported > <https://www.lunasec.io/docs/blog/log4j-zero-day/#who-is-impacted> > that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not > affected by this vulnerability. So, if you are already running a JDK > later > than those versions, you may need to do nothing. > - (Configuration fix workaround) If neither of the above are easily > possible, you can temporarily update your [dspace]/config/log4j2.xml and > [dspace]/config/log4j2-console.xml, replacing any "%m" patterns with > "%m{nolookups}" > (per temporary mitigation > <https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation> > suggestion). Then restart Tomcat. These %m patterns can be found in 3 > places total in our log4j2 configs: > - > https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L32 > - > https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L50 > - > > https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2-console.xml#L20 > > We'd highly recommend taking one of the following steps *immediately if > you are running DSpace 7.x in Production.* > > If you have additional questions, feel free to email [email protected] > (which emails all DSpace Committers). If you have a public suggestion, feel > free to send it to this list to help other DSpace users who may be impacted. > > Tim > > *--* > > *Tim Donohue* > > Technical Lead, DSpace > > [email protected] > > Lyrasis.org <https://www.lyrasis.org/> | DSpace.org <http://dspace.org> > > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/19bcf643-0a3d-4def-b722-85323b44de70n%40googlegroups.com.
