SECURITY RELEASE: Version 7.1.1 of DSpace Backend patches log4j vulnerabilities in 7.x (CVE-2021-44228)

[Tim Donohue]

All,

As with the rest of the world, over the last few days we've learned more about this critical vulnerability in log4j v2 (CVE-2021-44228) and its impact on DSpace.

As of today, here's what we know (keep in mind, as more information becomes public, we will be constantly reanalyzing these guidelines):

• DSpace 6.x and below appear to be​ unaffected, as all use log4j v1 exclusively with a default configuration which is not impacted.
  
• DSpace 7.0 and 7.1 backends are vulnerable​.  We've been able to verify it on our demo site.
  

ALL DSPACE 7.0 or 7.1 sites should update the Backend (REST API) to version 7.1.1.  This Backend release is compatible with the Frontend (UI) version 7.1. (If you are unable to update immediately, a patch is possible, see Release Notes)

7.1.1 Release Notes / CVE-2021-44228 Patching Instructions: https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes#ReleaseNotes-7.1.1ReleaseNotes(BackendOnly)

In addition, please be aware of the following (these hints may also be found in the above release notes):

• Upgrade to Apache Solr 8.11.1 (or above), OR ensure that `-Dlog4j2.formatMsgNoLookups=true` is specified in your `SOLR_OPTS` environment variable. For more information, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

• After DSpace and Solr are updated, remember to restart everything on the backend. This includes Tomcat & Solr, but also your Handle Server (if you are using Handle.Net Registry support).

All three of these steps (update DSpace Backend, update Solr, and restart everything) are REQUIRED for full protection.  Other previously mentioned workarounds (including updating Java/JDK) seem less secure than initially believed.

If you have any questions, let us know on this list, or email secu...@dspace.org.

Tim

--

Tim Donohue

Technical Lead, DSpace

tim.d...@lyrasis.org

Lyrasis.org | DSpace.org