Page History
...
At this time, DSpace 6.x and below appear unaffected by CVE-2021-44228, as they all used log4j v1 exclusively with a default configuration that is not impacted.
Info | ||
---|---|---|
| ||
Immediately after version 7.1.1 was released, the log4j community announced a secondary, less severe vulnerability (CVE-2021-45046) which was patched in a log4j v 2.16.0 release. This fix is NOT included in 7.1.1. But, you can immediately apply this secondary patch by applying the changes in https://github.com/DSpace/DSpace/pull/8070. This is again a one line change. Simply update your ./pom.xml to have <log4j.version>2.16.0</log4j.version>. Then rebuild & redeploy your backend. |
7.1 Release Notes
Note | ||
---|---|---|
| ||
DSpace 7.1 contains a security fix to the backend (REST API) for all sites running 7.0. See CVE-2021-41189 for details. |
...