Re: [netcdf-java] [Important] Severe CVE, impacts, and mitigation

To: thredds@xxxxxxxxxxxxxxxx, netcdf-java@xxxxxxxxxxxxxxxx
Subject: Re: [netcdf-java] [Important] Severe CVE, impacts, and mitigation
From: Hailey Johnson <hajohns@xxxxxxxx>
Date: Fri, 10 Dec 2021 16:03:17 -0800

A quick correction: The current release of the TDS is now *5.2
<https://github.com/Unidata/tds/releases>*, not 5.3 as stated in the
previous email. The downloads on the TDS downloads
<https://www.unidata.ucar.edu/downloads/tds/> page are the most current
releases.

Sorry for any confusion.

On Fri, Dec 10, 2021 at 3:49 PM Hailey Johnson <hajohns@xxxxxxxx> wrote:

> Hello THREDDS users,
>
> Apologies for the late Friday email, but as many of you may have seen, an
> RCE exploit was identified in the log4j library last night (see this post
> <https://www.lunasec.io/docs/blog/log4j-zero-day/> and CVE
> <https://www.randori.com/blog/cve-2021-44228/>). This affects all TDS
> users (4.6.x and 5.x), and some netCDF-Java users. Please read on for
> information on mitigation.
>
> netCDF-Java
> The netCDF-Java library uses SLF4J logging <http://www.slf4j.org/>, which
> released this statement
> <http://mailman.qos.ch/pipermail/announce/2021/000163.html> this morning,
> stating the vulnerability is present under the SLF4J library when log4j is
> being used as the backend. If you are using log4j as your netCDF-Java
> logging implementation, you will need to upgrade to the newest release (
> 2.15.0).
>
> TDS
> Both TDS 4.6.x and 5.x use the log4j library, and are therefore impacted
> by the vulnerability. New releases of both are now available and use the
> latest release of log4j (2.15.0 <http://2.15.0.0/>). The stable release
> of TDS 4.6.x is now at 4.6.18
> <https://github.com/Unidata/thredds/releases> and the stable release of
> TDS 5.x is now at 5.3 <https://github.com/Unidata/tds/releases>. You can
> find both on the downloads <https://www.unidata.ucar.edu/downloads/tds/>
> page.
>
> JDK versions
> *JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1, are reportedly
> not affected* by the LDAP attack vector (
> https://www.lunasec.io/docs/blog/log4j-zero-day/). If you are using one
> of these JDKs, upgrading your TDS or logging library may be less critical
> (though still *highly *advisable). As a general note, staying on top of
> your JDK version can help provide some protection against security
> vulnerabilities.
>
> All the best,
> The THREDDS development team
>
> --
> Hailey Johnson (she/her)
> Software Engineer | THREDDS Developer
> Unidata | UCAR Community Programs (UCP)
>


-- 
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)

References:
- [netcdf-java] [Important] Severe CVE, impacts, and mitigation
  - From: Hailey Johnson

2021 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the netcdf-java archives: