log4j vulnerability

193 views
Skip to first unread message

Patrick Vranckx

unread,
Dec 13, 2021, 3:52:56 AM12/13/21
to Dataverse Users Community

Hi,

An alert has been published about log4j vulnerability:  https://www.oracle.com/security-alerts/alert-cve-2021-44228.html

My dataverse instances run version 5.0 and 5.6. It seems that version 1.2.15 of log4j is used. Is it correct ?

This version is not supported anymore and no security patches have been published for log4j 1.x since August 2015. 

Do you have advice about upgrading log4j regarding Dataverse ?  

Thanks in advance,

Patrick

René Schleuer

unread,
Dec 13, 2021, 4:54:31 AM12/13/21
to Dataverse Users Community
Hi,

I checked the current Dataverse-5.9.war and it contains the log4j-1.2.14.jar 

war.PNG

So we have to wait for the Dataverse Devs for answers. 

Best,
René

Donald Sizemore II

unread,
Dec 13, 2021, 5:06:41 AM12/13/21
to dataverse...@googlegroups.com
hello,

there is information about this CVE in the IQSS/dataverse-security GitHub repo, and Danny sent out a note to the community contact list on Saturday. you might contact sup...@dataverse.org for admission to both?

don

painstakingly pecked on my iphone.

On Dec 13, 2021, at 03:52, Patrick Vranckx <boisde...@gmail.com> wrote:


--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/3e7cc2d0-e11e-4e8d-aaae-6f8813b03547n%40googlegroups.com.

Vyacheslav Tikhonov

unread,
Dec 13, 2021, 6:24:31 AM12/13/21
to Dataverse Users Community
Thanks, Don! I've just patched Dataverse Docker module as well:

Best,
Slava

Dobrica Pavlinušić

unread,
Dec 13, 2021, 11:34:03 AM12/13/21
to dataverse...@googlegroups.com
Reading about mitigations for log4j it seems that adding

export LOG4J_FORMAT_MSG_NO_LOOKUPS=true

to payara and solr startup scripts might help to mitigate problems until there is updated version.

Can someone who understands java and dataverse more than me confirm that?

danny...@g.harvard.edu

unread,
Dec 13, 2021, 2:07:11 PM12/13/21
to Dataverse Users Community
Hi all,

Due to the sensitive nature of security topics, we don't communicate vulnerabilities on the public list and I email Dataverse Installation Contacts and Security Contacts directly. An email went out to this list on Saturday. If you would like to be added to this list, please contact secu...@dataverse.org and include the installation with which you are associated. Also:

- I encourage you to join the Dataverse Community Slack through this invite link: https://join.slack.com/t/dataversecommunity/shared_invite/zt-4yri92eb-rwgTwLImYltt2C3IbGg3hA as it will allow for more detailed discussion of these topics when necessary.
- We would like to revisit this process in the near future, perhaps using some of Github's tooling. The goal is to get the sensitive message out to the right people as easily as possible, and that process may be different now because of how the community has grown. There's some discussion of this in https://github.com/IQSS/dataverse/issues/3215 and I'd welcome additional discussion.

Thanks,

Danny
Reply all
Reply to author
Forward
0 new messages