[Archivesspace_Users_Group] Observation when in production mode of ArchivesSpace

[Brian Hoffman]

Hi,

Mizuno is actually never used in a production context, so it would also be fine to just delete any files you don’t like within the gem’s directory.

Furthermore, after 3.1.1 we made our own version of Mizuno:
https://github.com/archivesspace/mizuno
But 3.2.0 was inadvertently released with both the old and new version. For people who downloaded 3.2.0, I believe the instructions in the blog post are still accurate (the old version can simply be removed).

For upcoming releases we are going to remove mizuno entirely from the distribution files. Sorry for all the confusion.

Brian

From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> on behalf of Duckett, Brian (NIH/NLM) [C] <brian.duckett at nih.gov>
Date: Friday, June 17, 2022 at 5:00 PM
To: archivesspace_users_group at lyralists.lyrasis.org <archivesspace_users_group at lyralists.lyrasis.org>
Cc: Whitaker, John (NIH/NLM) [C] <john.whitaker at nih.gov>, Kalyanasundaram, Sriram (NIH/NLM) [C] <sriram.kalyanasundaram at nih.gov>
Subject: [Archivesspace_Users_Group] Observation when in production mode of ArchivesSpace
Hello,

During a deployment a few weeks ago, our internal security team identified ladle and mizuno as security risks due to the log4j vulnerability announced last year. We were able to successfully remove ladle, deploy and ArchivesSpace v3.1.1 started and ran successfully. When attempting the same with the removal of Mizuno we encountered an error and attempting to simply remove log4j from Mizuno, we received the following:

Gem Load Error is: Unknown or missing jar: log4j

Through some investigation we found that the contents of the Mizuno repository changed, yet a new version of the gem was not published. We replaced the contents of the Mizuno gem with the contents of the main branch of the repository and all was well. Essentially we wanted to bring to your attention, removing Mizuno and running ArchivesSpace v3.1.1 in production mode will cause the application to throw a runtime error, which is not congruent with the post from December<https://archivesspace.org/archives/7226?utm_source=rss&utm_medium=rss&utm_campaign=archivesspace-update-december-2021> addressing the log4j issue.

Thank you,

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20220621/9451f92d/attachment.html>