Apache Log4j SEoL (<= 1.x)
21 views
Skip to first unread message
Zikrul
Jun 14, 2024, 4:09:37 AMJun 14
to DSpace Technical Support
Hi,
We are trying to deal with a critical vulnerability which says "Apache Log4j SEoL (<= 1.x)" in DSpace5.6 server. It is running on Red Hat Enterprise Linux Server 7.9 version. It says the reason that Apache Log4j is less than or equal to 1.x. It is, therefore, no longer maintained by its vendor or provider. Solution suggested, we need version of Apache Log4j that is currently supported. Going through the Log4j documentation on website, is not much helpful and generic guide.
I am wondering if anyone has resolved the issue without upgrading DSpace to latest version and would like to share the knowledge how to resolve it please.
Kind Regards
Hassan Bhuiyan
DSpace Technical Support
Jun 14, 2024, 1:48:59 PMJun 14
to DSpace Technical Support
Hi Hassan,
A guide for these log4j vulnerabilities was shared on dspace-community & dspace-tech list back in Dec 2021 (when they were first announced):
A guide for these log4j vulnerabilities was shared on dspace-community & dspace-tech list back in Dec 2021 (when they were first announced):
There are a few options offered in that thread. Basically, though it's extremely complex to upgrade from log4j v1 to v2 as they are not compatible. I'm not aware of anyone who has done this for DSpace 5.x or 6.x. But, the 7.x set of releases all use log4j v2. So, you might want to consider upgrading to DSpace 7.
Another option is to upgrade to DSpace 6.4 as it switched DSpace 6.x from log4j to reload4j. See https://github.com/DSpace/DSpace/pull/8144 This was a basic "patch" offered to sites that couldn't upgrade to DSpace 7. I don't know if it's possible to backport to 5.x
Tim
Reply all
Reply to author
Forward
0 new messages