Targeted discussion among implementers and between implementers and the CollectionSpace development team
View all threadsHi All,
If you're running CollectionSpace 6.0 or above, patches are now available to upgrade log4j to 2.15.0, in order to mitigate the CVE-2021-44228https://nvd.nist.gov/vuln/detail/CVE-2021-44228 vulnerability.
If you've already applied the previously recommended mitigation (adding -Dlog4j2.formatMsgNoLookups=true to the JVM startup options), you don't need to upgrade log4j, but it won't hurt anything if you do.
To upgrade:
Stop the CollectionSpace server.
In your services source code directory (typically /opt/collectionspace/services or /home/cspace/collectionspace-source/services), pull the latest code for your release branch.
cd /opt/collectionspace/services
git pull
Build the services source code.
mvn clean install -DskipTests
Redeploy the services web application.
ant undeploy deploy
To verify that log4j has been upgraded, check the jar files that exist in the tomcat lib directory:
cd $CSPACE_JEESERVER_HOME/lib
ls log4j*.jar
All of the listed filenames should end with -2.15.0.jar.
Reply to the talk list if you have any questions or run into any problems.
Thanks,
Ray