Hi Willi,
CollectionSpace 6.0 and above have a vulnerable version of log4j. I'm still investigating the impact. I don't think unauthenticated users can supply a string that would be logged, but I need to confirm. I recommend adding this JVM startup option to mitigate:
-Dlog4j2.formatMsgNoLookups=true
In a standard installation, you can edit $CSPACE_JEESERVER_HOME/bin/setenv.sh, and add that to the JAVA_OPTS variable.
I'll put in patches to the 6.0 and above branches to upgrade to log4j 2.15.0 (which sets that property to true by default). After that you'll be able to rebuild the services layer to upgrade log4j.
Ray
From: ww@williwolf.net ww@williwolf.net
Sent: Monday, December 13, 2021 12:58 PM
To: talk@lists.collectionspace.org
Subject: [Talk] Log4j vulnerability impact?
Hi, does the latest news on the log4j component security vulnerability have impacts on CollectionSpace administration and operations ?
Hi Willi,
CollectionSpace 6.0 and above have a vulnerable version of log4j. I'm still investigating the impact. I don't think unauthenticated users can supply a string that would be logged, but I need to confirm. I recommend adding this JVM startup option to mitigate:
-Dlog4j2.formatMsgNoLookups=true
In a standard installation, you can edit $CSPACE_JEESERVER_HOME/bin/setenv.sh, and add that to the JAVA_OPTS variable.
I'll put in patches to the 6.0 and above branches to upgrade to log4j 2.15.0 (which sets that property to true by default). After that you'll be able to rebuild the services layer to upgrade log4j.
Ray
________________________________________
From: ww@williwolf.net <ww@williwolf.net>
Sent: Monday, December 13, 2021 12:58 PM
To: talk@lists.collectionspace.org
Subject: [Talk] Log4j vulnerability impact?
Hi, does the latest news on the log4j component security vulnerability have impacts on CollectionSpace administration and operations ?
