<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;
panose-1:2 11 6 9 3 8 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xxmsonormal, li.xxmsonormal, div.xxmsonormal
{mso-style-name:x_x_msonormal;
margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">I believe so but have not tested that yet. Sometimes the dependency manager, Bundler, can raise problems if gems that it expects to see are not present.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">archivesspace_users_group-bounces@lyralists.lyrasis.org <archivesspace_users_group-bounces@lyralists.lyrasis.org> on behalf of Zhang, Bin <bzhang@csus.edu><br>
<b>Date: </b>Friday, December 17, 2021 at 1:53 PM<br>
<b>To: </b>Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org>, SUTHERLAND Ianthe <Ianthe.Sutherland@ed.ac.uk><br>
<b>Subject: </b>Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Brian,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In this case, is it safe to remove them from our production server?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Bin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> archivesspace_users_group-bounces@lyralists.lyrasis.org <archivesspace_users_group-bounces@lyralists.lyrasis.org>
<b>On Behalf Of </b>Brian Hoffman<br>
<b>Sent:</b> Friday, December 17, 2021 5:45 AM<br>
<b>To:</b> Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org>; SUTHERLAND Ianthe <Ianthe.Sutherland@ed.ac.uk><br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Scott,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">While we do include those files in the distribution of ArchivesSpace, they are not actually used by the application in production mode. They are part of our development dependencies used to enable file reloading
while the application is running in development mode. In future distributions we will look at removing these so there isn’t any confusion or perceived risk. In short, I don’t think there is any risk in this case.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Brian<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black"><a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>>
on behalf of RENTON Scott <<a href="mailto:Scott.Renton@ed.ac.uk">Scott.Renton@ed.ac.uk</a>><br>
<b>Date: </b>Friday, December 17, 2021 at 7:55 AM<br>
<b>To: </b>Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org">archivesspace_users_group@lyralists.lyrasis.org</a>>, SUTHERLAND Ianthe <<a href="mailto:Ianthe.Sutherland@ed.ac.uk">Ianthe.Sutherland@ed.ac.uk</a>><br>
<b>Subject: </b>Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black">Hi folks</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black">Two more CVEs have come to our attention which seem to affect log4j v1.2:</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17571" target="_blank"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;background:#F8F8F8">https://nvd.nist.gov/vuln/detail/CVE-2019-17571</span></a></span><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8">and</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8"><a href="https://access.redhat.com/security/cve/CVE-2021-4104" target="_blank">https://access.redhat.com/security/cve/CVE-2021-4104</a></span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:12.0pt;color:black">They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:12.0pt;color:black"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p style="background:white"><span style="font-size:8.5pt;font-family:Menlo;color:black">./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div id="Signature">
<div>
<div id="divtagdefaultwrapper">
<p><span style="font-size:12.0pt;color:black">But I can't see any properties associated with that to see if uses either of these.
</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black"> </span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Assume it's not a problem, but thought I'd flag it up in case.</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black"> </span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Cheers</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Scott</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">==========</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Scott Renton</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Digital Library Development & Systems</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Floor F East</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">Argyle House</span><o:p></o:p></p>
<p><span style="font-size:12.0pt;color:black">515219</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:11.0pt">
<hr size="0" width="100%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black">From:</span></b><span style="font-size:11.0pt;color:black">
<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>>
on behalf of Steele, Henry <<a href="mailto:Henry.Steele@tufts.edu">Henry.Steele@tufts.edu</a>><br>
<b>Sent:</b> 14 December 2021 16:25<br>
<b>To:</b> Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org">archivesspace_users_group@lyralists.lyrasis.org</a>><br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?</span><span style="font-size:11.0pt">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div style="border:dotted #FF884D 1.5pt;padding:0in 0in 0in 0in">
<p class="MsoNormal" style="background:#FFF2E6"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">This email was sent to you by someone outside the University.</span></b><span style="font-size:11.0pt;color:black">
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:#FFF2E6"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">You should only click on links or attachments if you are certain that the email is genuine and the content is safe.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">It uses JRuby<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt">On Dec 14, 2021, at 11:19 AM, Steele, Henry <<a href="mailto:Henry.Steele@tufts.edu">Henry.Steele@tufts.edu</a>> wrote:<o:p></o:p></span></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt">On Dec 13, 2021, at 2:01 PM, Blake Carver <<a href="mailto:blake.carver@lyrasis.org">blake.carver@lyrasis.org</a>> wrote:<o:p></o:p></span></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Nope, older versions should be safe as well.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:11.0pt">
<hr size="0" width="100%" align="center">
</span></div>
<div id="x_divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black">From:</span></b><span style="font-size:11.0pt;color:black">
<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>>
on behalf of Steele, Henry <<a href="mailto:Henry.Steele@tufts.edu">Henry.Steele@tufts.edu</a>><br>
<b>Sent:</b> Monday, December 13, 2021 1:52 PM<br>
<b>To:</b> Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org">archivesspace_users_group@lyralists.lyrasis.org</a>><br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?</span><span style="font-size:11.0pt">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt">Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable?<o:p></o:p></span></p>
<p class="xxmsonormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xxmsonormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt">
<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>>
<b>On Behalf Of </b>Peter Heiner<br>
<b>Sent:</b> Saturday, December 11, 2021 9:00 AM<br>
<b>To:</b> Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org">archivesspace_users_group@lyralists.lyrasis.org</a>><br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?<o:p></o:p></span></p>
</div>
</div>
<p class="xxmsonormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt">While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see <a href="https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228">https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228</a>
for more information and some possible workarounds.<o:p></o:p></span></p>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt">p<o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:11.0pt">
<hr size="0" width="100%" align="center">
</span></div>
<div id="x_x_divRplyFwdMsg">
<p class="xxmsonormal"><b><span style="font-size:11.0pt;color:black">From:</span></b><span style="font-size:11.0pt;color:black">
<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a> <<a href="mailto:archivesspace_users_group-bounces@lyralists.lyrasis.org">archivesspace_users_group-bounces@lyralists.lyrasis.org</a>>
on behalf of Tom Hanstra <<a href="mailto:hanstra@nd.edu">hanstra@nd.edu</a>><br>
<b>Sent:</b> 11 December 2021 13:21<br>
<b>To:</b> Archivesspace Users Group <<a href="mailto:archivesspace_users_group@lyralists.lyrasis.org">archivesspace_users_group@lyralists.lyrasis.org</a>><br>
<b>Subject:</b> [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?</span><span style="font-size:11.0pt">
<o:p></o:p></span></p>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt">There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? <o:p></o:p></span></p>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:11.0pt">Tom<o:p></o:p></span></p>
</div>
<p class="xxmsonormal"><span style="font-size:11.0pt">-- <o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="xxmsonormal"><b><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#888888">Tom Hanstra</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="xxmsonormal"><i><span style="font-size:9.5pt;font-family:"Arial",sans-serif;color:#888888">Sr. Systems Administrator</span></i><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:9.5pt;color:#888888"><a href="mailto:hanstra@nd.edu" target="_blank"><span style="font-family:"Arial",sans-serif;color:#1155CC">hanstra@nd.edu</span></a></span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:9.5pt;color:#888888"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="xxmsonormal"><span style="font-size:9.5pt;color:#888888"><img border="0" width="276" height="30" style="width:2.875in;height:.3125in" id="x_x__x005f_x0000_i1026" src="https://docs.google.com/uc?export=download&id=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0&revid=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ"></span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">_______________________________________________<br>
Archivesspace_Users_Group mailing list<br>
<a href="mailto:Archivesspace_Users_Group@lyralists.lyrasis.org">Archivesspace_Users_Group@lyralists.lyrasis.org</a><br>
<a href="http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group">http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh
SC005336. <o:p></o:p></span></p>
</div>
</body>
</html>