Page History

...

7.1.1 Release Notes

DSpace 7.1.1 only contains an update to the Apache Log4j Library to ensure DSpace is not vulnerable to CVE-2021-44228.  As such, it was only a Backend / REST API release.  The DSpace 7.1 Frontend (UI) can be used with the DSpace 7.1.1 Backend.

To ensure your 7.x site is completely secure, perform ALL the following:

1. Upgrade your DSpace backend (REST API) to version 7.1.1 immediately.  This backend is compatible with the DSpace Frontend version 7.1
   1. If you are unable to perform this upgrade, you may patch your 7.0 or 7.1 site by applying the changes in PR #8065.  Specifically, update your ./pom.xml to have <log4j.version>2.15.0</log4j.version>. Then rebuild & redeploy your backend. Make sure to restart Tomcat.
2. Upgrade to Apache Solr v8.11.1 (or above), to ensure your Solr is patched for CVE-2021-44228
   1. If you are unable to perform this upgrade, you may patch your current Solr by ensuring that `-Dlog4j2.formatMsgNoLookups=true` is specified in your `SOLR_OPTS` environment variable. For more information, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
3. If you use the Handle.Net Registry Support in DSpace 7.x, make sure to restart your Handle Server. This will ensure it is using the new version of log4j as well.

At this time, DSpace 6.x and below appear unaffected by CVE-2021-44228, as they all used log4j v1 exclusively with a default configuration that is not impacted.

7.1 Release Notes

...