Hi Hassan, A guide for these log4j vulnerabilities was shared on dspace-community & dspace-tech list back in Dec 2021 (when they were first announced): https://groups.google.com/g/dspace-tech/c/QR59bS4nIT0
There are a few options offered in that thread. Basically, though it's extremely complex to upgrade from log4j v1 to v2 as they are not compatible. I'm not aware of anyone who has done this for DSpace 5.x or 6.x. But, the 7.x set of releases all use log4j v2. So, you might want to consider upgrading to DSpace 7. Another option is to upgrade to DSpace 6.4 as it switched DSpace 6.x from log4j to reload4j. See https://github.com/DSpace/DSpace/pull/8144 This was a basic "patch" offered to sites that couldn't upgrade to DSpace 7. I don't know if it's possible to backport to 5.x Tim On Friday, June 14, 2024 at 3:09:37 AM UTC-5 Zikrul wrote: > > Hi, > > We are trying to deal with a critical vulnerability which says "Apache > Log4j SEoL (<= 1.x)" in DSpace5.6 server. It is running on Red Hat > Enterprise Linux Server 7.9 version. It says the reason that Apache Log4j > is less than or equal to 1.x. It is, therefore, no longer maintained by its > vendor or provider. Solution suggested, we need version of Apache Log4j > that is currently supported. Going through the Log4j documentation on > website, is not much helpful and generic guide. > > I am wondering if anyone has resolved the issue without upgrading DSpace > to latest version and would like to share the knowledge how to resolve it > please. > > Kind Regards > Hassan Bhuiyan > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/77020b8a-ae96-4f98-9b68-001db9d5f9c9n%40googlegroups.com.
