FAQ: DSpace & log4j critical vulnerabilities (CVE-2021-44228 and CVE-2019-17571)

65 views

Skip to first unread message

Tim Donohue

unread,

Dec 16, 2021, 11:55:53 AM12/16/21

to DSpace Community, DSpace Technical Support

All,

We know it's been a crazy week for those tracking down which systems are vulnerable to recent log4j vulnerabilities.

As these questions continue to come up, here's a quick guide based on what we know today.

Is DSpace vulnerable to CVE-2021-44228 (aka Log4Shell) in log4j v2?

https://nvd.nist.gov/vuln/detail/CVE-2021-44228 (critical vulnerability)

DSpace 7.0 & 7.1 are both vulnerable. Upgrade as soon as possible to 7.1.1 (or above) or patch your system. You also must upgrade/patch your Apache Solr. See 7.1.1 Release Notes for information: https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly)
DSpace 6.x, 5.x or 4.x (or below) are *not vulnerable*, as they all use log4j v1 exclusively with a default configuration which is not impacted. (At this time there is no way to upgrade these older DSpace releases to log4j v2. See below for more info.)

(Obviously, as this vulnerability is so new, it's possible there will be updates. We are closely watching everything coming out of the log4j community to ensure the DSpace can be updated as needed.)

Is DSpace vulnerable to CVE-2019-17571 critical vulnerability in log4j v1?

https://nvd.nist.gov/vuln/detail/CVE-2019-17571 (critical vulnerability)

DSpace 7.x releases are *not vulnerable* as they use log4j v2.
DSpace 6.x, 5.x or 4.x (or below) are also *not vulnerable* (out of the box). DSpace's default log4j v1 configuration does NOT use the vulnerable SocketServer/SocketAppender configuration. Instead, we exclusively use FileAppenders, see for example: https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46

HOWEVER, if you've highly customized your DSpace log4j v1 configuration, you should double check you are not using SocketAppenders. A vulnerable SocketServer/SocketAppender configuration would look like this: https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/

Can DSpace 6.x, 5.x or 4.x be upgraded to log4j v2? log4j v1 is EOL.

Unfortunately, log4j v2 is not backwards compatible with log4j v1. Therefore, this is not a simple upgrade (e.g. it took over 1,000 lines of code changes to update DSpace 7.x to log4j v2, see PR 2241). This upgrade would likely be more complex in DSpace 6.x/5.x/4.x, as those releases also used older versions of Apache Solr (and other dependencies) which relied on log4j v1 as well.

Overall, if you need to use log4j v2 more immediately, we'd recommend upgrading to DSpace 7.x. It's unlikely that earlier releases will ever support log4j v2. (All that said, if anyone does find a way to upgrade earlier versions of DSpace to log4j v2, we'll be sure to let everyone know.)

If there are other questions, feel free to ask them on this list, or email secu...@dspace.org.

Tim

Tim Donohue

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org

Reply all

Reply to author

Forward

0 new messages