NOTICE: Log4j zero-day exploit may affect DSpace 7.x (only). How to patch yourself quickly.

[Tim Donohue]

All,

As many of you may have seen, a critical vulnerability has been discovered in log4j and announced in the last day. Details are at: https://www.lunasec.io/docs/blog/log4j-zero-day/

If you are running DSpace 6.x or below, you are not​ be impacted by this vulnerability, as DSpace 6.x and below still rely on log4j v1 (and they don't use the JMS Appender which is where the vulnerability can be exploited with log4j v1).

If you are running DSpace 7.x, YOU MAY BE IMPACTED.  A few possible known quick fixes are available.

• (Code level fix) In the source code of the DSpace backend (REST API), update the <log4j.version> tag in your [src]/pom.xml to say "2.15.0".  Rebuild the backend (mvn clean package) & redeploy (ant update) and restart Tomcat.  You are now on a protected version of log4j v2.   (This fix will also be provided in the upcoming DSpace 7.2 release in Feb, 2022.)
• (Java upgrade) Ensure you are running the latest version of the JDK (Java).  It is reported that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by this vulnerability.  So, if you are already running a JDK later than those versions, you may need to do nothing.
• (Configuration fix workaround) If neither of the above are easily possible, you can temporarily update your [dspace]/config/log4j2.xml and [dspace]/config/log4j2-console.xml, replacing any "%m" patterns with "%m{nolookups}" (per temporary mitigation suggestion). Then restart Tomcat. These %m patterns can be found in 3 places total in our log4j2 configs:
• https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L32
  
• https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2.xml#L50
  
• https://github.com/DSpace/DSpace/blob/main/dspace/config/log4j2-console.xml#L20
  

We'd highly recommend taking one of the following steps immediately if you are running DSpace 7.x in Production.

​

If you have additional questions, feel free to email secu...@dspace.org (which emails all DSpace Committers). If you have a public suggestion, feel free to send it to this list to help other DSpace users who may be impacted.

Tim

--

Tim Donohue

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org

[throwaway 8768629769]

Hello,

I see the following pom.xml files:

./dspace-api/pom.xml
./dspace-oai/pom.xml
./dspace-rdf/pom.xml
./dspace-rest/pom.xml
./dspace-server-webapp/pom.xml
./dspace-services/pom.xml
./dspace-sword/pom.xml
./dspace-swordv2/pom.xml
./dspace/modules/additions/pom.xml
./dspace/modules/pom.xml
./dspace/modules/rest/pom.xml
./dspace/modules/server/pom.xml
./dspace/pom.xml
./pom.xml

But none in /src/pom.xml. Which file ist the correct one for the fix?

Kind regards,

Mirko Grothe

[throwaway 8768629769]

Nvm I just realised you meant the dspace-src directory, not the src directory inside the dspace-src directory.

Kind regards,

Mirko Grothe

Tim Donohue schrieb am Freitag, 10. Dezember 2021 um 17:09:43 UTC+1:

[Tim Donohue]

An update on this advice:  PLEASE UPGRADE YOUR DSpace 7.x BACKEND (or patch it).  We've learned more about the log4j vulnerability, and we no longer believe our other prior advice provides you with full protection.

See the new 7.1.1 Release Announcement for full instructions:  https://groups.google.com/g/dspace-community/c/Fa4VdjiiNyE and https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly)