Urgent: ISLE 7 upgrade needed

24 views
Skip to first unread message

David Keiser-Clark

unread,
Oct 6, 2021, 12:53:01 PM10/6/21
to Islandora ISLE, isla...@googlegroups.com, icg-inf...@googlegroups.com

Islandora ISLE 7, an open-source and community-led platform, released an update today that includes a just-released patch from Apache for a recently found zero-day exploit. 


Yesterday, Grinnell College flagged this zero-day exploit to the Islandora Slack channel. Today, Gavin Morris, maintainer of ISLE 7, released an updated ISLE Docker Image containing the Apache solution to this problem. Liberal arts colleges and other institutions running ISLE are safer than ever before. Implementing this solution requires three commands (see below) and less than 5 minutes to download and install the new Docker Image. ISLE institutions are able to access this community benefit without requiring a vendor. For institutions with a maintenance contract, your vendor will roll out this ISLE update for you.


Timeline


October 4: Apache releases patch - Apache released a public patch (v 2.4.50) that fixes the problematic version (2.4.49) for this Zero-Day Apache Exploit.


October 5: Grinnell College's IT department flags this exploit as a security issue - Grinnell College's IT team raised this security concern to Mark McFate, their library administrator of Islandora ISLE. Mark contacted Gavin Morris via the Islandora Slack channel. (Thank you Mark!)


October 6: ISLE releases new Docker Image with security fix - Gavin Morris of Born-Digital (he is the current ISLE 7 maintainer) added the Apache security patch to ISLE by updating the Docker Image to include the safe Apache version 2.4.50. All of us can immediately pull down this safely patched ISLE Docker Image. (Thank you Gavin and Born-Digital!)


# To implement this fix, go to the base of your ISLE site configuration, and run:

docker-compose down

docker-compose pull

docker-compose up -d

# This process should bring your site down briefly, automagically get and install the new Docker image, and then bring your site back up. Done. Total time: <5 minutes.


Thank you,

David Keiser-Clark

Williams College


wpwen...@gmail.com

unread,
Oct 15, 2021, 3:50:06 PM10/15/21
to Islandora ISLE
David,

Will 2.4.51 be released and patched in to address the insufficient fix in 2.4.50? Our Information Security department is flagging 2.4.50 as insecure.


Thanks,
Paul Wentzell

ga...@born-digital.com

unread,
Oct 18, 2021, 10:28:02 AM10/18/21
to Islandora ISLE
Good morning, 

Thanks for bringing this up, Paul! 

I am currently re-running the ISLE Apache build process to ensure that the latest build has this newer patch. 

I'll update this thread soon with results. 

Cheers, 
Gavin

ga...@born-digital.com

unread,
Oct 18, 2021, 11:27:50 AM10/18/21
to Islandora ISLE
Repeating from the IF ISLE Slack Channel

Good morning, quick update that the isle-apache 1.5.11 image is now using Apache v.2.4.51. 

Please docker-compose pull for a new image as soon as possible. 

Thank you!

root@eb9648214113:/# apache2 -v
Server version: Apache/2.4.51 (Ubuntu)
Server built:   2021-10-07T19:17:29 
Reply all
Reply to author
Forward
0 new messages