Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?

2021-12-11 Thread Peter Heiner 
While ArchivesSpace itself might not be vulnerable, those who run an extrrnal 
Solr instance should be aware that it itself may be, see 
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
 for more information and some possible workarounds.

p

From: archivesspace_users_group-boun...@lyralists.lyrasis.org 
 on behalf of Tom 
Hanstra 
Sent: 11 December 2021 13:21
To: Archivesspace Users Group 
Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?

There is a lot of buzz right now about the log4j exploit being used against 
Java applications. Does anyone know if ArchivesSpace is vulnerable to these 
exploits?

Tom
--
Tom Hanstra
Sr. Systems Administrator
hans...@nd.edu

[https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ]
___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?

2021-12-11 Thread Tom Hanstra 
Right, it is bad. I'm digging around at everything this morning looking for
places that might be vulnerable.

There are a couple of gems in the gems directory which use older versions
of log4j (ladle-0.2.0-java, mizuno-0.6.11). No idea where those come into
play with the overall software.

Tom

On Sat, Dec 11, 2021 at 8:46 AM Blake Carver 
wrote:

> Almost certainly not, there's no absolutes in this stuff, but from
> everything I've read it's currently not vulnerable.
>
> This is a bad vulnerability, log4j is all over the place.
> --
> *From:* archivesspace_users_group-boun...@lyralists.lyrasis.org <
> archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of Tom
> Hanstra 
> *Sent:* Saturday, December 11, 2021 8:21 AM
> *To:* Archivesspace Users Group <
> archivesspace_users_group@lyralists.lyrasis.org>
> *Subject:* [Archivesspace_Users_Group] log4j vulnerability in
> ArchivesSpace?
>
> There is a lot of buzz right now about the log4j exploit being used
> against Java applications. Does anyone know if ArchivesSpace is vulnerable
> to these exploits?
>
> Tom
> --
> *Tom Hanstra*
> *Sr. Systems Administrator*
> hans...@nd.edu
>
>
> ___
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group@lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
>


-- 
*Tom Hanstra*
*Sr. Systems Administrator*
hans...@nd.edu
___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

[Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?

2021-12-11 Thread Tom Hanstra 
There is a lot of buzz right now about the log4j exploit being used against
Java applications. Does anyone know if ArchivesSpace is vulnerable to these
exploits?

Tom
-- 
*Tom Hanstra*
*Sr. Systems Administrator*
hans...@nd.edu
___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group