Dear Tim, Thanks a lot for this clarification. Let me double check that a version such as DSpace 3.2 that uses Log4j1.2.14 should not be impacted, isn't that correct?
Soumaia Ahmed Al Ayyat, PhD Lead Applications Development Analyst Tech Solutions The American University in Cairo Adjunct Faculty (Assistant Professor), CSCE The American University in Cairo Tel: (+2) 2615-3744 P027 UACT, Lib. Bldg., Plaza floor *Have an IT inquiry? Need more information about IT Solutions at AUC? Please go to **https://www.aucegypt.edu/digital-innovation <https://www.aucegypt.edu/digital-innovation>* Save a tree. Don't print this e-mail unless it's really necessary *Great minds discuss ideas; Average minds discuss events; Small minds discuss people. Eleanor Roosevelt* On Tue, Dec 14, 2021 at 4:55 PM 'Tim Donohue' via DSpace Technical Support < [email protected]> wrote: > CVE-2019-17571 (which is different vulnerability only impacting log4j v1) > should not impact DSpace 6 or below, as it requires that you are using the > log4j SocketServer in your configuration. DSpace 6 or below do NOT use > this configuration of log4j v1, as we always use a FileAppender for > logging, see for example: > https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46 > > My understanding is that CVE-2019-17571 would require a much different > configuration, using a SocketAppender instead of a FileAppender, e.g. > https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/ > > Therefore, as long as you haven't modified your log4j configuration in > DSpace 6 or below to use a SocketAppender (this is unlikely), you should be > safe from CVE-2019-17571. > > Tim > > On Tuesday, December 14, 2021 at 4:44:32 AM UTC-6 [email protected] > wrote: > >> Hi! >> >> While dspace 5.x and 6.x are safe from the latest log4j -vulnerability, >> this got my attention: >> https://nsfocusglobal.com/apache-log4j-deserialization-remote-code-execution-cve-2019-17571-vulnerability-threat-alert/ >> No updates in log4j v1.x mean no fix to this issue. Has anyone happened >> to dig into this and see if this vulnerability affect DSpace? And if so, >> any mitigations or means available to fix this issue? >> >> Thanks in advance! Keep up the good work everyone o/ >> >> -- Antti >> >> >> On Monday, December 13, 2021 at 7:32:10 PM UTC+2 [email protected] >> wrote: >> >>> It is part of v5, but I believe the delivered version is ok since it is >>> pre-vunerability. >>> >>> >>> >>> >>> >>> -Dale >>> >>> >>> >>> *From:* [email protected] <[email protected]> *On >>> Behalf Of *Sarah Butash >>> *Sent:* Monday, December 13, 2021 10:55 AM >>> *To:* [email protected] >>> *Subject:* [dspace-tech] Log4J Vulnerability >>> >>> >>> >>> Hello, >>> >>> >>> >>> Our Security team has asked us to follow up to determine if Log4J is a >>> part of the build of DSpace v5, which I believe it is. Can you confirm? Do >>> you have a mitigation strategy for this issue? >>> >>> >>> >>> Thank you! >>> >>> Sarah >>> >>> >>> >>> -- >>> >>> Sarah Butash >>> >>> she / her >>> >>> Library Systems Analyst, OU Libraries >>> >>> Kresge Library, Room 227 >>> >>> 100 Library Drive, Rochester, MI 48309-4479 >>> >>> Phone: 248-370-2368 <(248)%20370-2368> >>> >>> >>> >>> >>> >>> -- >>> All messages to this mailing list should adhere to the Code of Conduct: >>> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx >>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lyrasis.org%2Fabout%2FPages%2FCode-of-Conduct.aspx&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OsPLbt1Q6MnA3y0CFEa9qYHDSggYOsAJQCOle84MdrQ%3D&reserved=0> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "DSpace Technical Support" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/dspace-tech/CAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%40mail.gmail.com >>> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fdspace-tech%2FCAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5iUWeQIrvm6Jhubahyq7ClbNN0RC1Zh8VqqCJWj%2B7Ys%3D&reserved=0> >>> . >>> >> -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com > <https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CAKW9FBWq9gYMkjPm%2Bpc4tDfX2tkC%2B-EBkZNV2TGrRO%2BEn_JcqA%40mail.gmail.com.
