Log4J Vulnerability
191 views
Skip to first unread message
Sarah Butash
Dec 13, 2021, 11:55:07 AM12/13/21
to dspac...@googlegroups.com
Hello,
Our Security team has asked us to follow up to determine if Log4J is a part of the build of DSpace v5, which I believe it is. Can you confirm? Do you have a mitigation strategy for this issue?
Thank you!
Sarah
--
Sarah Butash
she / her
Library Systems Analyst, OU Libraries
Kresge Library, Room 227
100 Library Drive, Rochester, MI 48309-4479
Phone: 248-370-2368
Poulter, Dale
Dec 13, 2021, 12:32:10 PM12/13/21
to Sarah Butash, dspac...@googlegroups.com
It is part of v5, but I believe the delivered version is ok since it is pre-vunerability.
-Dale
--
All messages to this mailing list should adhere to the Code of Conduct:
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dspace-tech...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/CAGdTMArkg14tVF-b0i4UWS59dvJyOYNy6MtjO3NCdWpL4M285A%40mail.gmail.com.
antti....@gmail.com
Dec 14, 2021, 5:44:32 AM12/14/21
to DSpace Technical Support
Hi!
While dspace 5.x and 6.x are safe from the latest log4j -vulnerability, this got my attention: https://nsfocusglobal.com/apache-log4j-deserialization-remote-code-execution-cve-2019-17571-vulnerability-threat-alert/
No updates in log4j v1.x mean no fix to this issue. Has anyone happened to dig into this and see if this vulnerability affect DSpace? And if so, any mitigations or means available to fix this issue?
Thanks in advance! Keep up the good work everyone o/
-- Antti
Tim Donohue
Dec 14, 2021, 9:55:24 AM12/14/21
to DSpace Technical Support
CVE-2019-17571 (which is different vulnerability only impacting log4j v1) should not impact DSpace 6 or below, as it requires that you are using the log4j SocketServer in your configuration. DSpace 6 or below do NOT use this configuration of log4j v1, as we always use a FileAppender for logging, see for example: https://github.com/DSpace/DSpace/blob/dspace-6_x/dspace/config/log4j.properties#L46
My understanding is that CVE-2019-17571 would require a much different configuration, using a SocketAppender instead of a FileAppender, e.g. https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/
Therefore, as long as you haven't modified your log4j configuration in DSpace 6 or below to use a SocketAppender (this is unlikely), you should be safe from CVE-2019-17571.
Tim
My understanding is that CVE-2019-17571 would require a much different configuration, using a SocketAppender instead of a FileAppender, e.g. https://howtodoinjava.com/log4j/log4j-socketappender-and-socket-server-example/
Therefore, as long as you haven't modified your log4j configuration in DSpace 6 or below to use a SocketAppender (this is unlikely), you should be safe from CVE-2019-17571.
Tim
antti....@gmail.com
Dec 15, 2021, 1:10:03 AM12/15/21
to DSpace Technical Support
Hi!
Thank you Tim for the clarification! I appreciate the fast response, even when there may be a lot of fires to put out!
Best regards,
Antti
Message has been deleted
Soumaia Al Ayyat
Dec 17, 2021, 3:03:43 PM12/17/21
to Tim Donohue, DSpace Technical Support
Dear Tim,
Thanks a lot for this clarification. Let me double check that a version such as DSpace 3.2 that uses Log4j1.2.14 should not be impacted, isn't that correct?
Soumaia Ahmed Al Ayyat, PhD
Lead Applications Development Analyst
Tech Solutions
Tech Solutions
The American University in Cairo
Adjunct Faculty (Assistant Professor), CSCE
The American University in Cairo
The American University in Cairo
Tel: (+2) 2615-3744
P027 UACT, Lib. Bldg., Plaza floor
Have an IT inquiry? Need more information about IT Solutions at AUC? Please go to https://www.aucegypt.edu/digital-innovation
Save a tree. Don't print this e-mail unless it's really necessary
Great minds discuss ideas; Average minds discuss events; Small minds discuss people. Eleanor Roosevelt
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/a013ce5b-8916-4795-aad4-56eed569f0b3n%40googlegroups.com.
Tim Donohue
Dec 17, 2021, 3:13:59 PM12/17/21
to Soumaia Al Ayyat, DSpace Technical Support
As far as we are aware, DSpace 3.x (and below) would be the same as DSpace 4.x/5.x/6.x and should not be impacted by this log4j issue.
That said, all DSpace 4.x, 3.x and 1.x.x releases are all end-of-life and are no longer supported. So, we honestly don't go back that far to verify that old of a release. I'd recommend upgrading to a supported version of DSpace (5.x/6.x/7.x) when you get
the chance, as you might be impacted by other security issues.
For our release support policies & a list of all supported releases, see https://wiki.lyrasis.org/display/DSPACE/Releases
Tim
From: 'Soumaia Al Ayyat' via DSpace Technical Support <dspac...@googlegroups.com>
Sent: Friday, December 17, 2021 2:07 PM
To: Tim Donohue <tim.d...@lyrasis.org>
Cc: DSpace Technical Support <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] Log4J Vulnerability
Sent: Friday, December 17, 2021 2:07 PM
To: Tim Donohue <tim.d...@lyrasis.org>
Cc: DSpace Technical Support <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] Log4J Vulnerability
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/CAKW9FBWq9gYMkjPm%2Bpc4tDfX2tkC%2B-EBkZNV2TGrRO%2BEn_JcqA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages