As far as we are aware, DSpace 3.x (and below) would be the same as DSpace 4.x/5.x/6.x and should not be impacted by this log4j issue.
That said, all DSpace 4.x, 3.x and 1.x.x releases are all end-of-life and are no longer supported. So, we honestly don't go back that far to verify that old of a release. I'd recommend upgrading to a supported version of DSpace (5.x/6.x/7.x) when you get the chance, as you might be impacted by other security issues. For our release support policies & a list of all supported releases, see https://wiki.lyrasis.org/display/DSPACE/Releases Tim ________________________________ From: 'Soumaia Al Ayyat' via DSpace Technical Support <[email protected]> Sent: Friday, December 17, 2021 2:07 PM To: Tim Donohue <[email protected]> Cc: DSpace Technical Support <[email protected]> Subject: Re: [dspace-tech] Log4J Vulnerability Dear Tim, Thanks a lot for this clarification. Let me double check that a version such as DSpace 3.2 that uses Log4j1.2.14 should not be impacted, isn't that correct? Soumaia Ahmed Al Ayyat, PhD Lead Applications Development Analyst Tech Solutions The American University in Cairo Adjunct Faculty (Assistant Professor), CSCE The American University in Cairo Tel: (+2) 2615-3744 P027 UACT, Lib. Bldg., Plaza floor Have an IT inquiry? Need more information about IT Solutions at AUC? Please go to https://www.aucegypt.edu/digital-innovation Save a tree. Don't print this e-mail unless it's really necessary Great minds discuss ideas; Average minds discuss events; Small minds discuss people. Eleanor Roosevelt [https://docs.google.com/uc?export=download&id=1KE_1rPtTZZHcPTp3vRXS9mdcD0JNUPZW&revid=0ByCip009ECfUQ2hyK0pHeGVDcUh2ZmRoTGl5UEcveUo3d3RRPQ] On Tue, Dec 14, 2021 at 4:55 PM 'Tim Donohue' via DSpace Technical Support <[email protected]<mailto:[email protected]>> wrote: CVE-2019-17571 (which is different vulnerability only impacting log4j v1) should not impact DSpace 6 or below, as it requires that you are using the log4j SocketServer in your configuration. DSpace 6 or below do NOT use this configuration of log4j v1, as we always use a FileAppender for logging, see for example: https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46 My understanding is that CVE-2019-17571 would require a much different configuration, using a SocketAppender instead of a FileAppender, e.g. https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/ Therefore, as long as you haven't modified your log4j configuration in DSpace 6 or below to use a SocketAppender (this is unlikely), you should be safe from CVE-2019-17571. Tim On Tuesday, December 14, 2021 at 4:44:32 AM UTC-6 [email protected]<mailto:[email protected]> wrote: Hi! While dspace 5.x and 6.x are safe from the latest log4j -vulnerability, this got my attention: https://nsfocusglobal.com/apache-log4j-deserialization-remote-code-execution-cve-2019-17571-vulnerability-threat-alert/ No updates in log4j v1.x mean no fix to this issue. Has anyone happened to dig into this and see if this vulnerability affect DSpace? And if so, any mitigations or means available to fix this issue? Thanks in advance! Keep up the good work everyone o/ -- Antti On Monday, December 13, 2021 at 7:32:10 PM UTC+2 [email protected] wrote: It is part of v5, but I believe the delivered version is ok since it is pre-vunerability. -Dale From: [email protected] <[email protected]> On Behalf Of Sarah Butash Sent: Monday, December 13, 2021 10:55 AM To: [email protected] Subject: [dspace-tech] Log4J Vulnerability Hello, Our Security team has asked us to follow up to determine if Log4J is a part of the build of DSpace v5, which I believe it is. Can you confirm? Do you have a mitigation strategy for this issue? Thank you! Sarah -- Sarah Butash she / her Library Systems Analyst, OU Libraries Kresge Library, Room 227 100 Library Drive, Rochester, MI 48309-4479 Phone: 248-370-2368<tel:(248)%20370-2368> -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lyrasis.org%2Fabout%2FPages%2FCode-of-Conduct.aspx&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OsPLbt1Q6MnA3y0CFEa9qYHDSggYOsAJQCOle84MdrQ%3D&reserved=0> --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%40mail.gmail.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fdspace-tech%2FCAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cdale.poulter%40vanderbilt.edu%7Cd3fbececdc0c4dec60da08d9be595132%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C637750114144576688%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5iUWeQIrvm6Jhubahyq7ClbNN0RC1Zh8VqqCJWj%2B7Ys%3D&reserved=0>. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com<https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CAKW9FBWq9gYMkjPm%2Bpc4tDfX2tkC%2B-EBkZNV2TGrRO%2BEn_JcqA%40mail.gmail.com<https://groups.google.com/d/msgid/dspace-tech/CAKW9FBWq9gYMkjPm%2Bpc4tDfX2tkC%2B-EBkZNV2TGrRO%2BEn_JcqA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB1148BD2AB546816404520A1EED789%40DM5PR2201MB1148.namprd22.prod.outlook.com.
