All, As with the rest of the world, over the last few days we've learned more about this critical vulnerability in log4j v2 (CVE-2021-44228<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) and its impact on DSpace.
As of today, here's what we know (keep in mind, as more information becomes public, we will be constantly reanalyzing these guidelines): * DSpace 6.x and below appear to be unaffected, as all use log4j v1 exclusively with a default configuration which is not impacted. * DSpace 7.0 and 7.1 backends are vulnerable. We've been able to verify it on our demo site. ALL DSPACE 7.0 or 7.1 sites should update the Backend (REST API) to version 7.1.1. This Backend release is compatible with the Frontend (UI) version 7.1. (If you are unable to update immediately, a patch is possible, see Release Notes) 7.1.1 Release Notes / CVE-2021-44228 Patching Instructions: https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly) In addition, please be aware of the following (these hints may also be found in the above release notes): * Upgrade to Apache Solr 8.11.1 (or above), OR ensure that `-Dlog4j2.formatMsgNoLookups=true` is specified in your `SOLR_OPTS` environment variable. For more information, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 * After DSpace and Solr are updated, remember to restart everything on the backend. This includes Tomcat & Solr, but also your Handle Server (if you are using Handle.Net Registry support<https://wiki.lyrasis.org/display/DSDOC7x/Handle.Net+Registry+Support>). All three of these steps (update DSpace Backend, update Solr, and restart everything) are REQUIRED for full protection. Other previously mentioned workarounds (including updating Java/JDK) seem less secure than initially believed. If you have any questions, let us know on this list, or email [email protected]. Tim -- Tim Donohue Technical Lead, DSpace [email protected] Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [cid:6325d860-e7b3-4bba-9544-2aee28888323] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/DM5PR2201MB11484D79C597783F8289F5F6ED749%40DM5PR2201MB1148.namprd22.prod.outlook.com.
