[GeoNetwork-users] log4

Sven_Schroeter1 · December 13, 2021, 8:18am

Hi,

I have seen that Geonetwork also uses the log4 lib.
https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html

What do I have to do to avoid attacks and fix the current security warnings regarding log4?
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Thanks + Greetings
Sven

Olivier_Guyot · December 13, 2021, 11:37am

Hi and thanks for raising the topic. There is a GitHub issue on that
matter, I suggest that we use it to centralize communication and exchanges:
https://github.com/geonetwork/core-geonetwork/issues/6076
--
*camptocamp*
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

*Olivier Guyot*
Geospatial Developer
+49 89 2620 89 924

On Mon, Dec 13, 2021 at 9:34 AM Sven Schroeter via GeoNetwork-users <
geonetwork-users@lists.sourceforge.net> wrote:

Hi,

I have seen that Geonetwork also uses the log4 lib.

https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html

What do I have to do to avoid attacks and fix the current security
warnings regarding log4?

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Thanks + Greetings
Sven

_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

Jose_Garcia1 · December 13, 2021, 12:32pm

Hi Sven

For the
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
issue, today has been released the version 3.10.10 with the library
upgraded (
https://sourceforge.net/projects/geonetwork/files/GeoNetwork_opensource/v3.10.10/)
and tomorrow we plan to release 3.12.2 with the same upgrade.

Regards,
Jose Garc'ia

On Mon, Dec 13, 2021 at 9:34 AM Sven Schroeter via GeoNetwork-users <
geonetwork-users@lists.sourceforge.net> wrote:

Hi,

I have seen that Geonetwork also uses the log4 lib.

https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html

What do I have to do to avoid attacks and fix the current security
warnings regarding log4?

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Thanks + Greetings
Sven

_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

--

*Vriendelijke groeten / Kind regards,Jose García
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664>Please consider the environment before printing
this email.*

Sven_Schroeter1 · December 13, 2021, 12:42pm

Hi Olivier,
thanks for the tip!
we are currently using geonetwork 3.10.8.
I am not a Java expert and have looked what libs are used here. In the directory WEB-INF/lib are the following .jar files:
log4j-api-2.7.jar
log4j-core-2.7.jar
log4j-1.2.17.jar
What do I need to do to get the service back up and running safely?
Thanks Sven

Am 13.12.2021 um 12:37 schrieb Olivier Guyot:

Hi and thanks for raising the topic. There is a GitHub issue on that matter, I suggest that we use it to centralize communication and exchanges: https://github.com/geonetwork/core-geonetwork/issues/6076
--
*camptocamp*
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

*Olivier Guyot
*
Geospatial Developer*
*
+49 89 2620 89 924

On Mon, Dec 13, 2021 at 9:34 AM Sven Schroeter via GeoNetwork-users <geonetwork-users@lists.sourceforge.net> wrote:

    Hi,

    I have seen that Geonetwork also uses the log4 lib.
    https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html

    What do I have to do to avoid attacks and fix the current security
    warnings regarding log4?
    https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

    Thanks + Greetings
    Sven

    _______________________________________________
    GeoNetwork-users mailing list
    GeoNetwork-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/geonetwork-users
    GeoNetwork OpenSource is maintained at
    http://sourceforge.net/projects/geonetwork

Olivier_Guyot · December 13, 2021, 12:46pm

Hi Sven,

The safest is probably to migrate to the 3.10.10 version published by Jose,
see:
https://sourceforge.net/projects/geonetwork/files/GeoNetwork_opensource/v3.10.10/

This contains the 2.15 version of log4j instead of 2.7.
--
*camptocamp*
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

*Olivier Guyot*
Geospatial Developer
+49 89 2620 89 924

On Mon, Dec 13, 2021 at 1:42 PM Sven Schroeter <schroeter@anonymised.com> wrote:

Hi Olivier,
thanks for the tip!
we are currently using geonetwork 3.10.8.
I am not a Java expert and have looked what libs are used here. In the
directory WEB-INF/lib are the following .jar files:
log4j-api-2.7.jar
log4j-core-2.7.jar
log4j-1.2.17.jar
What do I need to do to get the service back up and running safely?
Thanks Sven

Am 13.12.2021 um 12:37 schrieb Olivier Guyot:

Hi and thanks for raising the topic. There is a GitHub issue on that
matter, I suggest that we use it to centralize communication and exchanges:
https://github.com/geonetwork/core-geonetwork/issues/6076
--
*camptocamp*
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

*Olivier Guyot *
Geospatial Developer
+49 89 2620 89 924

On Mon, Dec 13, 2021 at 9:34 AM Sven Schroeter via GeoNetwork-users <
geonetwork-users@lists.sourceforge.net> wrote:

Hi,

I have seen that Geonetwork also uses the log4 lib.

https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html

What do I have to do to avoid attacks and fix the current security
warnings regarding log4?

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Thanks + Greetings
Sven

_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

Jose_Garcia1 · December 13, 2021, 12:46pm

Hi Sven

I you can not upgrade to version 3.10.10, a quick fix is to remove these 2
files from WEB-INF/lib:

log4j-api-2.7.jar
log4j-core-2.7.jar

Download log4j2 version 2.15.0 and and replace them by the ones in the
version 2.15.0

Regards,
Jose García

On Mon, Dec 13, 2021 at 1:43 PM Sven Schroeter via GeoNetwork-users <
geonetwork-users@lists.sourceforge.net> wrote:

Hi Olivier,
thanks for the tip!
we are currently using geonetwork 3.10.8.
I am not a Java expert and have looked what libs are used here. In the
directory WEB-INF/lib are the following .jar files:
log4j-api-2.7.jar
log4j-core-2.7.jar
log4j-1.2.17.jar
What do I need to do to get the service back up and running safely?
Thanks Sven

Am 13.12.2021 um 12:37 schrieb Olivier Guyot:
> Hi and thanks for raising the topic. There is a GitHub issue on that
> matter, I suggest that we use it to centralize communication and
> exchanges: https://github.com/geonetwork/core-geonetwork/issues/6076
> --
> *camptocamp*
> INNOVATIVE SOLUTIONS
> BY OPEN SOURCE EXPERTS
>
> *Olivier Guyot
> *
> Geospatial Developer*
> *
> +49 89 2620 89 924
>
>
> On Mon, Dec 13, 2021 at 9:34 AM Sven Schroeter via GeoNetwork-users
> <geonetwork-users@lists.sourceforge.net> wrote:
>
> Hi,
>
> I have seen that Geonetwork also uses the log4 lib.
>
https://geonetwork-opensource.org/manuals/3.10.x/en/install-guide/logging.html
>
> What do I have to do to avoid attacks and fix the current security
> warnings regarding log4?
>
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
>
> Thanks + Greetings
> Sven
>
>
>
>
>
> _______________________________________________
> GeoNetwork-users mailing list
> GeoNetwork-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geonetwork-users
> GeoNetwork OpenSource is maintained at
> http://sourceforge.net/projects/geonetwork
>

_______________________________________________
GeoNetwork-users mailing list
GeoNetwork-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-users
GeoNetwork OpenSource is maintained at
http://sourceforge.net/projects/geonetwork

--

*Vriendelijke groeten / Kind regards,Jose García
<http://www.geocat.net/>Veenderweg 136721 WD BennekomThe NetherlandsT: +31
(0)318 416664 <+31318416664>Please consider the environment before printing
this email.*