As with the rest of the world, over the last few days we've learned more about this critical vulnerability in log4j v2 (CVE-2021-44228
and its impact on DSpace.
As of today, here's what we know (keep in mind, as more information becomes public, we will be constantly reanalyzing these guidelines):
- DSpace 6.x and below appear to be unaffected, as all use log4j v1 exclusively with a default configuration which is not impacted.
- DSpace 7.0 and 7.1 backends are vulnerable. We've been able to verify it on our demo site.
ALL DSPACE 7.0 or 7.1 sites should update the Backend (REST API) to version 7.1.1. This Backend release is compatible with the Frontend (UI) version 7.1. (If you are unable to update immediately, a patch is possible, see Release Notes)
In addition, please be aware of the following (these hints may also be found in the above release notes):
- After DSpace and Solr are updated, remember to restart everything on the backend. This includes Tomcat & Solr, but also your Handle Server
(if you are using
Handle.Net Registry support).
All three of these steps (update DSpace Backend, update Solr, and restart everything) are REQUIRED for full protection. Other previously mentioned workarounds
(including updating Java/JDK) seem less secure than initially believed.