All, We know it's been a crazy week for those tracking down which systems are vulnerable to recent log4j vulnerabilities.
As these questions continue to come up, here's a quick guide based on what we know today. Is DSpace vulnerable to CVE-2021-44228 (aka Log4Shell) in log4j v2? https://nvd.nist.gov/vuln/detail/CVE-2021-44228 (critical vulnerability) * DSpace 7.0 & 7.1 are both vulnerable. Upgrade as soon as possible to 7.1.1 (or above) or patch your system. You also must upgrade/patch your Apache Solr. See 7.1.1 Release Notes for information: https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly) * DSpace 6.x, 5.x or 4.x (or below) are *not vulnerable*, as they all use log4j v1 exclusively with a default configuration which is not impacted. (At this time there is no way to upgrade these older DSpace releases to log4j v2. See below for more info.) (Obviously, as this vulnerability is so new, it's possible there will be updates. We are closely watching everything coming out of the log4j community to ensure the DSpace can be updated as needed.) Is DSpace vulnerable to CVE-2019-17571 critical vulnerability in log4j v1? https://nvd.nist.gov/vuln/detail/CVE-2019-17571 (critical vulnerability) * DSpace 7.x releases are *not vulnerable* as they use log4j v2. * DSpace 6.x, 5.x or 4.x (or below) are also *not vulnerable* (out of the box). DSpace's default log4j v1 configuration does NOT use the vulnerable SocketServer/SocketAppender configuration. Instead, we exclusively use FileAppenders, see for example: https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46 * HOWEVER, if you've highly customized your DSpace log4j v1 configuration, you should double check you are not using SocketAppenders. A vulnerable SocketServer/SocketAppender configuration would look like this: https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/ Can DSpace 6.x, 5.x or 4.x be upgraded to log4j v2? log4j v1 is EOL. Unfortunately, log4j v2 is not backwards compatible with log4j v1. Therefore, this is not a simple upgrade (e.g. it took over 1,000 lines of code changes to update DSpace 7.x to log4j v2, see PR 2241<https://github.com/DSpace/DSpace/pull/2241>). This upgrade would likely be more complex in DSpace 6.x/5.x/4.x, as those releases also used older versions of Apache Solr (and other dependencies) which relied on log4j v1 as well. Overall, if you need to use log4j v2 more immediately, we'd recommend upgrading to DSpace 7.x. It's unlikely that earlier releases will ever support log4j v2. (All that said, if anyone does find a way to upgrade earlier versions of DSpace to log4j v2, we'll be sure to let everyone know.) If there are other questions, feel free to ask them on this list, or email [email protected]. Tim -- Tim Donohue Technical Lead, DSpace [email protected] Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [cid:59eb2b2c-450b-429e-b1c0-e616e099252a] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/DM5PR2201MB11480998708BF1E7C5B551ABED779%40DM5PR2201MB1148.namprd22.prod.outlook.com.
