Hi Tech support, I'm using Dspace 6.3 on Centos 7. My Cyber Security colleagues tell me that there are 3 other vulnerabilities in our installation:
CVE-2022-23302 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2022-23302&data=04%7C01%7Cpaul.kobasa%40newcastle.ac.uk%7Ccadbd6f2acc14e42376d08d9f55b1d1d%7C9c5012c9b61644c2a91766814fbe3e87%7C1%7C0%7C637810593996665837%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FZj7AUku6qAr6lsirjmBhHxEzjxwWg7JmjV%2BYTQ7gP8%3D&reserved=0> , CVE-2022-23305 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2022-23305&data=04%7C01%7Cpaul.kobasa%40newcastle.ac.uk%7Ccadbd6f2acc14e42376d08d9f55b1d1d%7C9c5012c9b61644c2a91766814fbe3e87%7C1%7C0%7C637810593996665837%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rRqtJcrhJ0%2F3cDCNsLYUxDtRNm5hZ0rLZ6fnhsOxjtE%3D&reserved=0>, and CVE-2022-23307 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2022-23307&data=04%7C01%7Cpaul.kobasa%40newcastle.ac.uk%7Ccadbd6f2acc14e42376d08d9f55b1d1d%7C9c5012c9b61644c2a91766814fbe3e87%7C1%7C0%7C637810593996665837%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mtPc4VcaxyWdNK6TvhYbnMEcShj99eqa8fYnQOfZE0w%3D&reserved=0> I've not been able to verify log4j 1.x, as it is used in dspace V6.3 is configured in such a way that these vulnerabilities are exploitable. Please could you confirm if Dspace 6.3 is not affected by these? Thanks, Paul. On Thursday, 16 December 2021 at 16:55:53 UTC Tim Donohue wrote: > All, > > We know it's been a crazy week for those tracking down which systems are > vulnerable to recent log4j vulnerabilities. > > As these questions continue to come up, here's a quick guide based on what > we know *today*. > > *Is DSpace vulnerable to CVE-2021-44228 (aka Log4Shell) in log4j v2?* > https://nvd.nist.gov/vuln/detail/CVE-2021-44228 (critical vulnerability) > > - *DSpace 7.0 & 7.1 are both vulnerable*. Upgrade as soon as possible > to 7.1.1 (or above) or patch your system. You also must upgrade/patch your > Apache Solr. See 7.1.1 Release Notes for information: > > https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly) > - DSpace 6.x, 5.x or 4.x (or below) are *not vulnerable*, as they all > use log4j v1 exclusively with a default configuration which is not > impacted. (At this time there is no way to upgrade these older DSpace > releases to log4j v2. See below for more info.) > > (Obviously, as this vulnerability is so new, it's possible there will be > updates. We are closely watching everything coming out of the log4j > community to ensure the DSpace can be updated as needed.) > > *Is DSpace vulnerable to CVE-2019-17571 critical vulnerability in log4j > v1?* > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 (critical vulnerability) > > - DSpace 7.x releases are *not vulnerable* as they use log4j v2. > - DSpace 6.x, 5.x or 4.x (or below) are also *not vulnerable* (out of > the box). DSpace's default log4j v1 configuration does NOT use the > vulnerable SocketServer/SocketAppender configuration. Instead, we > exclusively use FileAppenders, see for example: > > https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46 > > - HOWEVER, if you've highly customized your DSpace log4j v1 > configuration, you should double check you are not using > SocketAppenders. A > vulnerable SocketServer/SocketAppender configuration would look like > this: > > https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/ > > *Can DSpace 6.x, 5.x or 4.x be upgraded to log4j v2? log4j v1 is EOL.* > Unfortunately, log4j v2 is not backwards compatible with log4j v1. > Therefore, this is not a simple upgrade (e.g. it took over 1,000 lines of > code changes to update DSpace 7.x to log4j v2, see PR 2241 > <https://github.com/DSpace/DSpace/pull/2241>). This upgrade would likely > be *more complex* in DSpace 6.x/5.x/4.x, as those releases also used > older versions of Apache Solr (and other dependencies) which relied on > log4j v1 as well. > > *Overall, if you need to use log4j v2 more immediately, we'd recommend > upgrading to DSpace 7.x.* It's unlikely that earlier releases will ever > support log4j v2. (All that said, if anyone does find a way to upgrade > earlier versions of DSpace to log4j v2, we'll be sure to let everyone know.) > > If there are other questions, feel free to ask them on this list, or email > [email protected]. > > Tim > > *--* > > *Tim Donohue* > > Technical Lead, DSpace > > [email protected] > > Lyrasis.org <https://www.lyrasis.org/> | DSpace.org <http://dspace.org> > > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/4935daca-0209-4d12-8b51-999ea67aa1c0n%40googlegroups.com.
