is archivematica 1.9.3 vulnerable to the recent Log4j vulnerabiltiy through ElasticSearch?

54 views
Skip to first unread message

hls...@gmail.com

unread,
Dec 13, 2021, 2:13:44 PM12/13/21
to archivematica
We are on open JDK 8 so it looked like that could be a possibility according to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476   

but I wasn't sure if this applies to archivematica

Sarah Romkey

unread,
Dec 14, 2021, 1:47:42 PM12/14/21
to archiv...@googlegroups.com
Hi there, in case you didn't see our announcement from late yesterday, you can find some info on this here: https://wiki.archivematica.org/Log4j 

Sarah Romkey, MAS,MLIS
Archivematica Program Manager
@archivematica / @accesstomemory




On Mon, Dec 13, 2021 at 3:13 PM hls...@gmail.com <hls...@gmail.com> wrote:
We are on open JDK 8 so it looked like that could be a possibility according to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476   

but I wasn't sure if this applies to archivematica

--
You received this message because you are subscribed to the Google Groups "archivematica" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivematic...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/af6275b8-a3a9-4285-b794-ff8001b5e00en%40googlegroups.com.

hls...@gmail.com

unread,
Dec 15, 2021, 10:21:31 AM12/15/21
to archivematica

Thanks for this information you provided and the associated fix at the URL below.  I wanted to let you know we attempted the patch recommended in the document for RedHat/CentOS servers, and yet our InfoSec’s vulnerability scanner still indicated that our Archivematica servers were vulnerable.   As a result and because we are transitioning off of Archivematica, we are shutting these down in the very near term

I just wanted to let you know so you could further investigate a fix for RedHat/CentOS users

Sarah Romkey

unread,
Dec 15, 2021, 10:37:33 AM12/15/21
to archiv...@googlegroups.com
Hi,

I've consulted with colleagues here at Artefactual and they suggest upgrading to Elasticsearch 6.2.21 if that is a possibility for you. It depends on how you have installed Elasticsearch but likely running

sudo yum install elasticsearch-6.8.21-1

Should work.

Cheers,

Sarah

Sarah Romkey, MAS,MLIS
Archivematica Program Manager
@archivematica / @accesstomemory



To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/3d84a5db-bcc9-4d4e-881d-9b798a91f353n%40googlegroups.com.

Sarah Romkey

unread,
Dec 15, 2021, 12:01:30 PM12/15/21
to archivematica
With guidance from our systems adminstrators we have updated the instructions for Archivematica:

Reply all
Reply to author
Forward
0 new messages