Versions Compared

Old Version 121

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 122

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel3

7.1.1 Release Notes (Backend Only)

Warning
titleAll DSpace 7.0 or 7.1 sites should be immediately ensure the backend is upgraded to 7.1.1 or patched

DSpace 7.0 and 7.1 both used a bundled version of the Apache Log4j Library vulnerable to RCE (remote command execution).  The CVE-2021-44228 vulnerability is described in more detail at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 and https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0

...

To ensure your 7.x site is completely secure, perform ALL the following:

  1. Upgrade your DSpace backend (REST API) to version 7.1.1 immediately.  This backend is compatible with the DSpace Frontend version 7.1
    1. If you are unable to perform this upgrade, you may patch your 7.0 or 7.1 site by applying the changes in PR #8065.  Specifically, update your ./pom.xml to have <log4j.version>2.15.0</log4j.version>. Then rebuild & redeploy your backend. Make sure to restart Tomcat.
  2. Upgrade to Apache Solr v8.11.1 (or above), to ensure your Solr is patched for CVE-2021-44228
    1. If you are unable to perform this upgrade, you may patch your current Solr by ensuring that `-Dlog4j2.formatMsgNoLookups=true` is specified in your `SOLR_OPTS` environment variable. For more information, see https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
  3. If you use the Handle.Net Registry Support in DSpace 7.x, make sure to restart your Handle Server. This will ensure it is using the new version of log4j as well.

...