[Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
RENTON Scott
Scott.Renton at ed.ac.uk
Fri Dec 17 07:54:48 EST 2021
Hi folks
Two more CVEs have come to our attention which seem to affect log4j v1.2:
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
and
https://access.redhat.com/security/cve/CVE-2021-4104
They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the
./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar
But I can't see any properties associated with that to see if uses either of these.
Assume it's not a problem, but thought I'd flag it up in case.
Cheers
Scott
==========
Scott Renton
Digital Library Development & Systems
Floor F East
Argyle House
515219
________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Steele, Henry <Henry.Steele at tufts.edu>
Sent: 14 December 2021 16:25
To: Archivesspace Users Group <archivesspace_users_group at lyralists.lyrasis.org>
Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
This email was sent to you by someone outside the University.
You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
It uses JRuby
On Dec 14, 2021, at 11:19 AM, Steele, Henry <Henry.Steele at tufts.edu> wrote:
I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application
On Dec 13, 2021, at 2:01 PM, Blake Carver <blake.carver at lyrasis.org> wrote:
Nope, older versions should be safe as well.
________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Steele, Henry <Henry.Steele at tufts.edu>
Sent: Monday, December 13, 2021 1:52 PM
To: Archivesspace Users Group <archivesspace_users_group at lyralists.lyrasis.org>
Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable?
From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> On Behalf Of Peter Heiner
Sent: Saturday, December 11, 2021 9:00 AM
To: Archivesspace Users Group <archivesspace_users_group at lyralists.lyrasis.org>
Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds.
p
________________________________
From: archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org> <archivesspace_users_group-bounces at lyralists.lyrasis.org<mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org>> on behalf of Tom Hanstra <hanstra at nd.edu<mailto:hanstra at nd.edu>>
Sent: 11 December 2021 13:21
To: Archivesspace Users Group <archivesspace_users_group at lyralists.lyrasis.org<mailto:archivesspace_users_group at lyralists.lyrasis.org>>
Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits?
Tom
--
Tom Hanstra
Sr. Systems Administrator
hanstra at nd.edu<mailto:hanstra at nd.edu>
[https://docs.google.com/uc?export=download&id=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0&revid=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ]
_______________________________________________
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group at lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20211217/5e15973a/attachment.html>
More information about the Archivesspace_Users_Group
mailing list