SECURITY RELEASE: Version 7.1.1 of DSpace Backend patches log4j vulnerabilities in 7.x (CVE-2021-44228)

Skip to first unread message

Tim Donohue

Dec 13, 2021, 3:30:04 PM12/13/21
to DSpace Community, DSpace Technical Support, DSpace Developers

As with the rest of the world, over the last few days we've learned more about this critical vulnerability in log4j v2 (CVE-2021-44228) and its impact on DSpace.

As of today, here's what we know (keep in mind, as more information becomes public, we will be constantly reanalyzing these guidelines):
  • DSpace 6.x and below appear to be​ unaffected, as all use log4j v1 exclusively with a default configuration which is not impacted.
  • DSpace 7.0 and 7.1 backends are vulnerable​.  We've been able to verify it on our demo site.
ALL DSPACE 7.0 or 7.1 sites should update the Backend (REST API) to version 7.1.1.  This Backend release is compatible with the Frontend (UI) version 7.1. (If you are unable to update immediately, a patch is possible, see Release Notes)

In addition, please be aware of the following (these hints may also be found in the above release notes):
  • After DSpace and Solr are updated, remember to restart everything on the backend. This includes Tomcat & Solr, but also your Handle Server (if you are using Handle.Net Registry support).
All three of these steps (update DSpace Backend, update Solr, and restart everything) are REQUIRED for full protection.  Other previously mentioned workarounds (including updating Java/JDK) seem less secure than initially believed.

If you have any questions, let us know on this list, or email



Tim Donohue

Technical Lead, DSpace |

Reply all
Reply to author
0 new messages