[netcdf-java] [Important] Severe CVE, impacts, and mitigation

Hello THREDDS users,

Apologies for the late Friday email, but as many of you may have seen, an
RCE exploit was identified in the log4j library last night (see this post
<https://www.lunasec.io/docs/blog/log4j-zero-day/> and CVE
<https://www.randori.com/blog/cve-2021-44228/>). This affects all TDS users
(4.6.x and 5.x), and some netCDF-Java users. Please read on for information
on mitigation.

The netCDF-Java library uses SLF4J logging <http://www.slf4j.org/>, which
released this statement
<http://mailman.qos.ch/pipermail/announce/2021/000163.html> this morning,
stating the vulnerability is present under the SLF4J library when log4j is
being used as the backend. If you are using log4j as your netCDF-Java
logging implementation, you will need to upgrade to the newest release (

Both TDS 4.6.x and 5.x use the log4j library, and are therefore impacted by
the vulnerability. New releases of both are now available and use the
latest release of log4j (2.15.0 <>). The stable release of
TDS 4.6.x is now at 4.6.18 <https://github.com/Unidata/thredds/releases>
and the stable release of TDS 5.x is now at 5.3
<https://github.com/Unidata/tds/releases>. You can find both on the downloads

JDK versions
*JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1, are reportedly
not affected* by the LDAP attack vector (
https://www.lunasec.io/docs/blog/log4j-zero-day/). If you are using one of
these JDKs, upgrading your TDS or logging library may be less critical
(though still *highly *advisable). As a general note, staying on top of
your JDK version can help provide some protection against security

All the best,
The THREDDS development team

Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the netcdf-java archives: