SECURITY RELEASE: Version 7.1.1 of DSpace Backend patches log4j vulnerabilities in 7.x (CVE-2021-44228)

280 views
Skip to first unread message

Tim Donohue

unread,
Dec 13, 2021, 3:30:04 PM12/13/21
to DSpace Community, DSpace Technical Support, DSpace Developers
All,

As with the rest of the world, over the last few days we've learned more about this critical vulnerability in log4j v2 (CVE-2021-44228) and its impact on DSpace.

As of today, here's what we know (keep in mind, as more information becomes public, we will be constantly reanalyzing these guidelines):
  • DSpace 6.x and below appear to be​ unaffected, as all use log4j v1 exclusively with a default configuration which is not impacted.
  • DSpace 7.0 and 7.1 backends are vulnerable​.  We've been able to verify it on our demo site.
ALL DSPACE 7.0 or 7.1 sites should update the Backend (REST API) to version 7.1.1.  This Backend release is compatible with the Frontend (UI) version 7.1. (If you are unable to update immediately, a patch is possible, see Release Notes)


In addition, please be aware of the following (these hints may also be found in the above release notes):
  • After DSpace and Solr are updated, remember to restart everything on the backend. This includes Tomcat & Solr, but also your Handle Server (if you are using Handle.Net Registry support).
All three of these steps (update DSpace Backend, update Solr, and restart everything) are REQUIRED for full protection.  Other previously mentioned workarounds (including updating Java/JDK) seem less secure than initially believed.

If you have any questions, let us know on this list, or email secu...@dspace.org.

Tim

--

Tim Donohue

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org



Reply all
Reply to author
Forward
0 new messages