[GeoNetwork-devel] Log4j Vulnerability

Dear GeoNetwork community,

Can you please advice on which update of GeoNetwork 3.10.x is including the fix for the Log4J security breach ?

I’m (and Edisoft company) are part of the EU project Odyssea that uses currently Geonetwork v3.10.3 and we need to update in order to correct the security issues reported with Log4J.

The project has currently the Geonwetork server down and waiting for a +possible souluction.~

(attachments)

image004.png
image005.png

···

cid:image001.png@anonymised.com

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@anonymised.com

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@anonymised.com345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited

Hi Carlos

Please check:

Both versions have the log4j2 version 2.15.0. The source code is updated to 2.17.0, but for now there are no official releases including that version.

Regards,
Jose García

(attachments)

image004.png
image005.png

···

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Thank you José.

Happy New Year.

(attachments)

image004.png
image005.png

···

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited

From: Jose Garcia <jose.garcia@…437…>
Sent: 3 de janeiro de 2022 11:36
To: FIGUEIREDO Carlos <carlos.figueiredo@…1177…>
Cc: geonetwork-devel@lists.sourceforge.net; TILSNER Dirk <dirk.tilsner@…1177…>
Subject: Re: [GeoNetwork-devel] Log4j Vulnerability

Hi Carlos

Please check:

Both versions have the log4j2 version 2.15.0. The source code is updated to 2.17.0, but for now there are no official releases including that version.

Regards,

Jose García

On Mon, Jan 3, 2022 at 12:17 PM FIGUEIREDO Carlos via GeoNetwork-devel <geonetwork-devel@lists.sourceforge.net> wrote:

Dear GeoNetwork community,

Can you please advice on which update of GeoNetwork 3.10.x is including the fix for the Log4J security breach ?

I’m (and Edisoft company) are part of the EU project Odyssea that uses currently Geonetwork v3.10.3 and we need to update in order to correct the security issues reported with Log4J.

The project has currently the Geonwetork server down and waiting for a +possible souluction.~

~

Can you please be so kind to inform me of the above ?

Many thanks for you attention to this subject.

BR

,

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi José,

Just another information: it seems that the geonetwork 3.10.10 war package still includes in the JMSAppender.class ,the log4j-1.2.17.jar.

It is expected to release another 3.10.x version with this removed (version 1 of Log4J as it seems redundant ?) and eventually also upgrade with log4j 2.17.x ?

Many thanks for your attention ad help on this subject.

BR,

(attachments)

image004.png
image005.png

···

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited

From: Jose Garcia <jose.garcia@…437…>
Sent: 3 de janeiro de 2022 11:36
To: FIGUEIREDO Carlos <carlos.figueiredo@…1177…>
Cc: geonetwork-devel@lists.sourceforge.net; TILSNER Dirk <dirk.tilsner@…1177…>
Subject: Re: [GeoNetwork-devel] Log4j Vulnerability

Hi Carlos

Please check:

Both versions have the log4j2 version 2.15.0. The source code is updated to 2.17.0, but for now there are no official releases including that version.

Regards,

Jose García

On Mon, Jan 3, 2022 at 12:17 PM FIGUEIREDO Carlos via GeoNetwork-devel <geonetwork-devel@lists.sourceforge.net> wrote:

Dear GeoNetwork community,

Can you please advice on which update of GeoNetwork 3.10.x is including the fix for the Log4J security breach ?

I’m (and Edisoft company) are part of the EU project Odyssea that uses currently Geonetwork v3.10.3 and we need to update in order to correct the security issues reported with Log4J.

The project has currently the Geonwetork server down and waiting for a +possible souluction.~

~

Can you please be so kind to inform me of the above ?

Many thanks for you attention to this subject.

BR

,

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Vriendelijke groeten / Kind regards,

Jose García

https://www.geocat.net/wp-content/uploads/2015/07/GeoCat_small1.png
Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi José,

One additional question: if Geonetwork can function without the usage cookies ?

Thank you for your attention and best regards,

(attachments)

image004.png
image005.png

···

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited

From: FIGUEIREDO Carlos
Sent: 5 de janeiro de 2022 11:22
To: ‘Jose Garcia’ <jose.garcia@…437…>
Cc: geonetwork-devel@lists.sourceforge.net; TILSNER Dirk <dirk.tilsner@…1177…>
Subject: RE: [GeoNetwork-devel] Log4j Vulnerability

Hi José,

Just another information: it seems that the geonetwork 3.10.10 war package still includes in the JMSAppender.class ,the log4j-1.2.17.jar.

It is expected to release another 3.10.x version with this removed (version 1 of Log4J as it seems redundant ?) and eventually also upgrade with log4j 2.17.x ?

Many thanks for your attention ad help on this subject.

BR,

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited

From: Jose Garcia <jose.garcia@…437…>
Sent: 3 de janeiro de 2022 11:36
To: FIGUEIREDO Carlos <carlos.figueiredo@…1177…>
Cc: geonetwork-devel@lists.sourceforge.net; TILSNER Dirk <dirk.tilsner@…1177…>
Subject: Re: [GeoNetwork-devel] Log4j Vulnerability

Hi Carlos

Please check:

Both versions have the log4j2 version 2.15.0. The source code is updated to 2.17.0, but for now there are no official releases including that version.

Regards,

Jose García

On Mon, Jan 3, 2022 at 12:17 PM FIGUEIREDO Carlos via GeoNetwork-devel <geonetwork-devel@lists.sourceforge.net> wrote:

Dear GeoNetwork community,

Can you please advice on which update of GeoNetwork 3.10.x is including the fix for the Log4J security breach ?

I’m (and Edisoft company) are part of the EU project Odyssea that uses currently Geonetwork v3.10.3 and we need to update in order to correct the security issues reported with Log4J.

The project has currently the Geonwetork server down and waiting for a +possible souluction.~

~

Can you please be so kind to inform me of the above ?

Many thanks for you attention to this subject.

BR

,

cid:image001.png@...1345...

Carlos Figueiredo

Technical Manager / Senior System Analyst
Defence & Security Systems

carlos.figueiredo@…1177…

Tel: +351.212945900

Mobile: +351. 937 673 523

Fax: +351.212945999

Rua Calvet Magalhães, 245

2770-153 Paço de Arcos · Portugal

www.edisoft.pt

cid:image002.png@...1345...

……………………………………………………………………………

A informação contida neste e-mail e quaisquer documentos anexos são propriedade da EDISOFT e poderão ser confidenciais. Se não for o destinatário pretendido, por favor, comunique-nos de imediato, enviando-nos esta mensagem de volta e destruindo-a em seguida. Fica desde já advertido de que é estritamente proibida qualquer revisão, divulgação, distribuição, cópia ou qualquer outra utilização deste e-mail.

The information contained in this e-mail and any attachments are the property of EDISOFT and may be confidential. If you are not the intended recipient, please notify us immediately, send this message back to us and destroy it. You are hereby notified that any review, dissemination, distribution, copying or otherwise use of this e-mail is strictly prohibited


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Vriendelijke groeten / Kind regards,

Jose García

https://www.geocat.net/wp-content/uploads/2015/07/GeoCat_small1.png
Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.

Hi Carlos

About log4j-1.2.17.jar, afaik version 1.2 is not affected by the bug. GeoNetwork uses that version for logs, the log4j version 2 is included as part of another library used in GeoNetwork, but it’s not really used for the logs.

About the cookies, I don’t think the usage can be removed from GeoNetwork.

Regards,
Jose García

(attachments)

image004.png
image005.png

···

Vriendelijke groeten / Kind regards,

Jose García


Veenderweg 13
6721 WD Bennekom
The Netherlands
T: +31 (0)318 416664

Please consider the environment before printing this email.