Log4j ?

77 views
Skip to first unread message

Garrett Armstrong

unread,
Dec 13, 2021, 2:20:34 PM12/13/21
to ArchivesSpace
Does ArchivesSpace or its solr use log4j?  If so, any advice on mitigation?

Thanks
Garrett Armstrong

Garrett Armstrong

unread,
Dec 13, 2021, 2:29:13 PM12/13/21
to ArchivesSpace
I say this as someone who's in the process of being handed-off an ArchivesSpace install.  I have not had a chance to learn the ArchiveSpace stack, so my ignorance about it is nearly absolute.  My assumption is all solr's use log4j, but that may be incorrect.  I'm also blind whether there is a java portion in ArchiveSpace other than its solr.
Garrett

Bridger Dyson-Smith

unread,
Dec 13, 2021, 2:54:31 PM12/13/21
to archiv...@googlegroups.com

Hi Garrett -
On Mon, Dec 13, 2021 at 2:29 PM Garrett Armstrong <garrett....@gmail.com> wrote:
I say this as someone who's in the process of being handed-off an ArchivesSpace install.  I have not had a chance to learn the ArchiveSpace stack, so my ignorance about it is nearly absolute.  My assumption is all solr's use log4j, but that may be incorrect.  I'm also blind whether there is a java portion in ArchiveSpace other than its solr.
Garrett

While I'm not in the same hand-off situation, I too know very little about AS. As far as I can tell from checking both the source (github.com/archivesspace/archivesspace) and the current unpacked and running application we host (v3.0.1), there isn't a direct log4j dependency for Solr. However, two of the gems used in the application, mizuno-0.6.11 and ladle-0.2.0, both have  the following in their lib directories (this is the unpack application):
gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar
gems/gems/mizuno-0.6.11/lib/java/slf4j-log4j12-1.7.5.jar
gems/gems/ladle-0.2.0-java/lib/ladle/apacheds/log4j-1.2.14.jar
gems/gems/ladle-0.2.0-java/lib/ladle/apacheds/slf4j-log4j12-1.5.6.jar

(An  important caveat: I do *not* have sufficient expertise to speak as an authority - look elsewhere for a final word on this) My understanding is that:
1) older versions of log4j are not susceptible to the full RCE [1,2]
2) versions of log4j that leverage the slf4j library are not susceptible to the full RCE
so in theory we're not completely  in a pickle.

Does that help?
 
On Monday, December 13, 2021 at 2:20:34 PM UTC-5 Garrett Armstrong wrote:
Does ArchivesSpace or its solr use log4j?  If so, any advice on mitigation?

Thanks
Garrett Armstrong

Best,
Bridger

PS I confess that I'm not entirely sure, but those log4j dependencies I list may be transitive, but like I said: not sure.

--
You received this message because you are subscribed to the Google Groups "ArchivesSpace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivesspac...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/archivesspace/92f2776d-fda3-4bd5-af1f-caa9a195c1c2n%40googlegroups.com.

Rodd Grady

unread,
May 27, 2022, 1:44:04 PMMay 27
to ArchivesSpace
Has anyone tried removing these gem files from their instance since they are only used for Development?  If so, have you run into any issues? Thanks!
Reply all
Reply to author
Forward
0 new messages