An update on this advice: *PLEASE UPGRADE YOUR DSpace 7.x BACKEND (or patch it). *We've learned more about the log4j vulnerability, and we no longer believe our other prior advice provides you with full protection.
See the new 7.1.1 Release Announcement for full instructions: https://groups.google.com/g/dspace-community/c/Fa4VdjiiNyE and https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly) On Sunday, December 12, 2021 at 8:21:29 AM UTC-6 [email protected] wrote: > Nvm I just realised you meant the dspace-src directory, not the src > directory inside the dspace-src directory. > > Kind regards, > Mirko Grothe > > Tim Donohue schrieb am Freitag, 10. Dezember 2021 um 17:09:43 UTC+1: > >> All, >> >> As many of you may have seen, a critical vulnerability has been >> discovered in log4j and announced in the last day. Details are at: >> https://www.lunasec.io/docs/blog/log4j-zero-day/ >> >> If you are running DSpace 6.x or below, you are *not* be impacted by >> this vulnerability, as DSpace 6.x and below still rely on log4j v1 (and >> they don't use the JMS Appender which is where the vulnerability can be >> exploited with log4j v1). >> >> *If you are running DSpace 7.x, YOU MAY BE IMPACTED. * A few possible >> known quick fixes are available. >> >> - (Code level fix) In the source code of the DSpace backend (REST >> API), update the <log4j.version> tag in your [src]/pom.xml to say >> "2.15.0". Rebuild the backend (mvn clean package) & redeploy (ant >> update) >> and restart Tomcat. You are now on a protected version of log4j v2. >> (This fix will also be provided in the upcoming DSpace 7.2 release in >> Feb, >> 2022.) >> - (Java upgrade) Ensure you are running the latest version of the JDK >> (Java). It is reported >> <https://www.lunasec.io/docs/blog/log4j-zero-day/#who-is-impacted> >> that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not >> affected by this vulnerability. So, if you are already running a JDK >> later >> than those versions, you may need to do nothing. >> - (Configuration fix workaround) If neither of the above are easily >> possible, you can temporarily update your [dspace]/config/log4j2.xml and >> [dspace]/config/log4j2-console.xml, replacing any "%m" patterns with >> "%m{nolookups}" >> (per temporary mitigation >> <https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation> >> suggestion). Then restart Tomcat. These %m patterns can be found in 3 >> places total in our log4j2 configs: >> - >> https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L32 >> - >> https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L50 >> - >> >> https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2-console.xml#L20 >> >> We'd highly recommend taking one of the following steps *immediately if >> you are running DSpace 7.x in Production.* >> >> If you have additional questions, feel free to email [email protected] >> (which emails all DSpace Committers). If you have a public suggestion, feel >> free to send it to this list to help other DSpace users who may be impacted. >> >> Tim >> >> *--* >> >> *Tim Donohue* >> >> Technical Lead, DSpace >> >> [email protected] >> >> Lyrasis.org <https://www.lyrasis.org/> | DSpace.org <http://dspace.org> >> >> >> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/fde38860-5042-45fb-be15-28a91b47b223n%40googlegroups.com.
