Versions Compared

Old Version 122

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 123

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

At this time, DSpace 6.x and below appear unaffected by CVE-2021-44228, as they all used log4j v1 exclusively with a default configuration that is not impacted.

Info
titleAdditional log4j patch available for 7.x

Immediately after version 7.1.1 was released, the log4j community announced a secondary, less severe vulnerability (CVE-2021-45046) which was patched in a log4j v 2.16.0 release.

This fix is NOT included in 7.1.1. But, you can immediately apply this secondary patch by applying the changes in https://github.com/DSpace/DSpace/pull/8070.  This is again a one line change.  Simply update your ./pom.xml to have <log4j.version>2.16.0</log4j.version>. Then rebuild & redeploy your backend.

7.1 Release Notes

Note
titleWe highly recommend ALL DSpace 7.0 users upgrade to 7.1

DSpace 7.1 contains a security fix to the backend (REST API) for all sites running 7.0.  See CVE-2021-41189 for details.

...