Hi Paul & all,
Based on a quick reading of those vulnerabilities, those 3 vulnerabilities would only affect your DSpace site if you have modified the default log4j v1 configuration of DSpace 6.x (or below).
CVE-2022-23302 - Says it only impacts log4j v1 when log4j is configured to use JMSSink. DSpace's out of the box configs do not use JMSSink by default. That'd only impact you if you are using a JMSAppender (DSpace only uses FileAppenders and ConsoleAppenders by default).
CVE-2022-23305 - Says it only impacts log4j v1 when log4j is configured to use a JDBCAppender. Again, DSpace doesn't use this configuration of log4j by default.
So, at least based on a quick analysis, I don't believe the out-of-the-box DSpace 6.x (or below) log4j v1 configuration is vulnerable to any of these issues. That said, if you modify DSpace 6.x's default log4j v1 configuration (
https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties) to use a different Appender type or to enable Chainsaw, then you *would be vulnerable*. If anyone finds I've overlooked anything in this analysis, please do let us know.
If you still want to get off of log4j v1 regardless, you have a few options:
1. Upgrade to DSpace 7, which uses the latest log4j v2.
2. Consider installing this "work in progress" PR for DSpace 6.x, which replaces log4j with the reload4j project:
https://github.com/DSpace/DSpace/pull/8144 The reload4j project (
https://reload4j.qos.ch/) provides some ongoing patching of log4j v1, since log4j v1 is now considered EOL and is not maintained by Apache. This PR has not yet been merged into DSpace 6.x, but it is undergoing testing. If you decide to test this, please let us know your results by commenting on the PR itself.
Sincerely,
Tim Donohue