CVE-2019-17571 (which is different vulnerability only impacting log4j v1) should not impact DSpace 6 or below, as it requires that you are using the log4j SocketServer in your configuration. DSpace 6 or below do NOT use this configuration of log4j v1, as we always use a FileAppender for logging, see for example: https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46
My understanding is that CVE-2019-17571 would require a much different configuration, using a SocketAppender instead of a FileAppender, e.g. https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/ Therefore, as long as you haven't modified your log4j configuration in DSpace 6 or below to use a SocketAppender (this is unlikely), you should be safe from CVE-2019-17571. Tim On Tuesday, December 14, 2021 at 4:44:32 AM UTC-6 [email protected] wrote: > Hi! > > While dspace 5.x and 6.x are safe from the latest log4j -vulnerability, > this got my attention: > https://nsfocusglobal.com/apache-log4j-deserialization-remote-code-execution-cve-2019-17571-vulnerability-threat-alert/ > No updates in log4j v1.x mean no fix to this issue. Has anyone happened to > dig into this and see if this vulnerability affect DSpace? And if so, any > mitigations or means available to fix this issue? > > Thanks in advance! Keep up the good work everyone o/ > > -- Antti > > > On Monday, December 13, 2021 at 7:32:10 PM UTC+2 [email protected] > wrote: > >> It is part of v5, but I believe the delivered version is ok since it is >> pre-vunerability. >> >> >> >> >> >> -Dale >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf >> Of *Sarah Butash >> *Sent:* Monday, December 13, 2021 10:55 AM >> *To:* [email protected] >> *Subject:* [dspace-tech] Log4J Vulnerability >> >> >> >> Hello, >> >> >> >> Our Security team has asked us to follow up to determine if Log4J is a >> part of the build of DSpace v5, which I believe it is. Can you confirm? Do >> you have a mitigation strategy for this issue? >> >> >> >> Thank you! >> >> Sarah >> >> >> >> -- >> >> Sarah Butash >> >> she / her >> >> Library Systems Analyst, OU Libraries >> >> Kresge Library, Room 227 >> >> 100 Library Drive, Rochester, MI 48309-4479 >> >> Phone: 248-370-2368 <(248)%20370-2368> >> >> >> >> >> >> -- >> All messages to this mailing list should adhere to the Code of Conduct: >> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lyrasis.org%2Fabout%2FPages%2FCode-of-Conduct.aspx&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OsPLbt1Q6MnA3y0CFEa9qYHDSggYOsAJQCOle84MdrQ%3D&reserved=0> >> --- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/dspace-tech/CAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%40mail.gmail.com >> >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fdspace-tech%2FCAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5iUWeQIrvm6Jhubahyq7ClbNN0RC1Zh8VqqCJWj%2B7Ys%3D&reserved=0> >> . >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com.
