Thanks Brian, that's terrific. Scott
========== Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 ________________________________ From: archivesspace_users_group-boun...@lyralists.lyrasis.org <archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of Brian Hoffman <brian.hoff...@lyrasis.org> Sent: 17 December 2021 13:45 To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org>; SUTHERLAND Ianthe <ianthe.sutherl...@ed.ac.uk> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. Hi Scott, While we do include those files in the distribution of ArchivesSpace, they are not actually used by the application in production mode. They are part of our development dependencies used to enable file reloading while the application is running in development mode. In future distributions we will look at removing these so there isn’t any confusion or perceived risk. In short, I don’t think there is any risk in this case. Brian From: archivesspace_users_group-boun...@lyralists.lyrasis.org <archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of RENTON Scott <scott.ren...@ed.ac.uk> Date: Friday, December 17, 2021 at 7:55 AM To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org>, SUTHERLAND Ianthe <ianthe.sutherl...@ed.ac.uk> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Hi folks Two more CVEs have come to our attention which seem to affect log4j v1.2: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104 They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the ./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar But I can't see any properties associated with that to see if uses either of these. Assume it's not a problem, but thought I'd flag it up in case. Cheers Scott ========== Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 ________________________________ From: archivesspace_users_group-boun...@lyralists.lyrasis.org <archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of Steele, Henry <henry.ste...@tufts.edu> Sent: 14 December 2021 16:25 To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. It uses JRuby On Dec 14, 2021, at 11:19 AM, Steele, Henry <henry.ste...@tufts.edu> wrote: I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver <blake.car...@lyrasis.org> wrote: Nope, older versions should be safe as well. ________________________________ From: archivesspace_users_group-boun...@lyralists.lyrasis.org <archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of Steele, Henry <henry.ste...@tufts.edu> Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org <archivesspace_users_group-boun...@lyralists.lyrasis.org> On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p ________________________________ From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> <archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra <hans...@nd.edu<mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group <archivesspace_users_group@lyralists.lyrasis.org<mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download&id=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0&revid=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] _______________________________________________ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
_______________________________________________ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group