Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Hi Brian, In this case, is it safe to remove them from our production server? Thanks Bin From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Brian Hoffman Sent: Friday, December 17, 2021 5:45 AM To: Archivesspace Users Group ; SUTHERLAND Ianthe Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Hi Scott, While we do include those files in the distribution of ArchivesSpace, they are not actually used by the application in production mode. They are part of our development dependencies used to enable file reloading while the application is running in development mode. In future distributions we will look at removing these so there isn’t any confusion or perceived risk. In short, I don’t think there is any risk in this case. Brian From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of RENTON Scott mailto:scott.ren...@ed.ac.uk>> Date: Friday, December 17, 2021 at 7:55 AM To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>>, SUTHERLAND Ianthe mailto:ianthe.sutherl...@ed.ac.uk>> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Hi folks Two more CVEs have come to our attention which seem to affect log4j v1.2: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104 They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the ./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar But I can't see any properties associated with that to see if uses either of these. Assume it's not a problem, but thought I'd flag it up in case. Cheers Scott == Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Steele, Henry mailto:henry.ste...@tufts.edu>> Sent: 14 December 2021 16:25 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. It uses JRuby On Dec 14, 2021, at 11:19 AM, Steele, Henry mailto:henry.ste...@tufts.edu>> wrote: I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver mailto:blake.car...@lyrasis.org>> wrote: Nope, older versions should be safe as well. From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Steele, Henry mailto:henry.ste...@tufts.edu>> Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpa
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Thanks Brian, that's terrific. Scott == Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Brian Hoffman Sent: 17 December 2021 13:45 To: Archivesspace Users Group ; SUTHERLAND Ianthe Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. Hi Scott, While we do include those files in the distribution of ArchivesSpace, they are not actually used by the application in production mode. They are part of our development dependencies used to enable file reloading while the application is running in development mode. In future distributions we will look at removing these so there isn’t any confusion or perceived risk. In short, I don’t think there is any risk in this case. Brian From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of RENTON Scott Date: Friday, December 17, 2021 at 7:55 AM To: Archivesspace Users Group , SUTHERLAND Ianthe Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Hi folks Two more CVEs have come to our attention which seem to affect log4j v1.2: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104 They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the ./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar But I can't see any properties associated with that to see if uses either of these. Assume it's not a problem, but thought I'd flag it up in case. Cheers Scott == Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: 14 December 2021 16:25 To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. It uses JRuby On Dec 14, 2021, at 11:19 AM, Steele, Henry wrote: I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver wrote: Nope, older versions should be safe as well. From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilt
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Hi folks Two more CVEs have come to our attention which seem to affect log4j v1.2: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 and https://access.redhat.com/security/cve/CVE-2021-4104 They seem to only come into play if you use the JMSAppender or the SocketAppender. We can only see log4j (on v2.7/v2.8) being used in the ./gems/gems/mizuno-0.6.11/lib/java/log4j-1.2.17.jar But I can't see any properties associated with that to see if uses either of these. Assume it's not a problem, but thought I'd flag it up in case. Cheers Scott == Scott Renton Digital Library Development & Systems Floor F East Argyle House 515219 From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: 14 December 2021 16:25 To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? This email was sent to you by someone outside the University. You should only click on links or attachments if you are certain that the email is genuine and the content is safe. It uses JRuby On Dec 14, 2021, at 11:19 AM, Steele, Henry wrote: I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver wrote: Nope, older versions should be safe as well. From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336. ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
It uses JRuby On Dec 14, 2021, at 11:19 AM, Steele, Henry wrote: I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver wrote: Nope, older versions should be safe as well. From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
I’m not sure who supports this now—HM?—, but I wanted to check about the Yale EAD exporter’s potential vulnerability. It’s a plug-in but also has a stand alone application On Dec 13, 2021, at 2:01 PM, Blake Carver wrote: Nope, older versions should be safe as well. From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Steele, Henry Sent: Monday, December 13, 2021 1:52 PM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace’s internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Are people on earlier versions of ArchivesSpace , e.g. 2.7.1 that use archivesspace's internal solr vulnerable? From: archivesspace_users_group-boun...@lyralists.lyrasis.org On Behalf Of Peter Heiner Sent: Saturday, December 11, 2021 9:00 AM To: Archivesspace Users Group Subject: Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org<mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org> mailto:archivesspace_users_group-boun...@lyralists.lyrasis.org>> on behalf of Tom Hanstra mailto:hans...@nd.edu>> Sent: 11 December 2021 13:21 To: Archivesspace Users Group mailto:archivesspace_users_group@lyralists.lyrasis.org>> Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
While ArchivesSpace itself might not be vulnerable, those who run an extrrnal Solr instance should be aware that it itself may be, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 for more information and some possible workarounds. p From: archivesspace_users_group-boun...@lyralists.lyrasis.org on behalf of Tom Hanstra Sent: 11 December 2021 13:21 To: Archivesspace Users Group Subject: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace? There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- Tom Hanstra Sr. Systems Administrator hans...@nd.edu<mailto:hans...@nd.edu> [https://docs.google.com/uc?export=download=1GFX1KaaMTtQ2Kg2u8bMXt1YwBp96bvf0=0B7APN9POn6xAQ244WWFYMFU3aVJwZ0lxbmVHK3FxNXlCd0RRPQ] ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
Re: [Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
Right, it is bad. I'm digging around at everything this morning looking for places that might be vulnerable. There are a couple of gems in the gems directory which use older versions of log4j (ladle-0.2.0-java, mizuno-0.6.11). No idea where those come into play with the overall software. Tom On Sat, Dec 11, 2021 at 8:46 AM Blake Carver wrote: > Almost certainly not, there's no absolutes in this stuff, but from > everything I've read it's currently not vulnerable. > > This is a bad vulnerability, log4j is all over the place. > -- > *From:* archivesspace_users_group-boun...@lyralists.lyrasis.org < > archivesspace_users_group-boun...@lyralists.lyrasis.org> on behalf of Tom > Hanstra > *Sent:* Saturday, December 11, 2021 8:21 AM > *To:* Archivesspace Users Group < > archivesspace_users_group@lyralists.lyrasis.org> > *Subject:* [Archivesspace_Users_Group] log4j vulnerability in > ArchivesSpace? > > There is a lot of buzz right now about the log4j exploit being used > against Java applications. Does anyone know if ArchivesSpace is vulnerable > to these exploits? > > Tom > -- > *Tom Hanstra* > *Sr. Systems Administrator* > hans...@nd.edu > > > ___ > Archivesspace_Users_Group mailing list > Archivesspace_Users_Group@lyralists.lyrasis.org > http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group > -- *Tom Hanstra* *Sr. Systems Administrator* hans...@nd.edu ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
[Archivesspace_Users_Group] log4j vulnerability in ArchivesSpace?
There is a lot of buzz right now about the log4j exploit being used against Java applications. Does anyone know if ArchivesSpace is vulnerable to these exploits? Tom -- *Tom Hanstra* *Sr. Systems Administrator* hans...@nd.edu ___ Archivesspace_Users_Group mailing list Archivesspace_Users_Group@lyralists.lyrasis.org http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group