Skip to content
This repository has been archived by the owner on Sep 1, 2022. It is now read-only.

Tracking log4j security issues #1381

Open
haileyajohnson opened this issue Dec 18, 2021 · 10 comments
Open

Tracking log4j security issues #1381

haileyajohnson opened this issue Dec 18, 2021 · 10 comments

Comments

@haileyajohnson
Copy link

haileyajohnson commented Dec 18, 2021

Hello THREDDS users - this issue is being opened to keep users who are not subscribed to the mailing list updated on the log4j and TDS saga.

As of December 18th, 2021, the recommended releases of the TDS are snapshot releases, 5.3-SNAPSHOT and 4.6.19-20211218.154246-4. Both can be found on the TDS downloads page. These releases use log4j 2.17.0 and address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

The THREDDS team plans to release an official (non-snapshot) release of both TDS 5.x and 4.6.x next week, however there is no difference between a snapshot and a full release other than the process of naming and archiving the version. The snapshots available are complete and stable.

We will keep you updated here as the situation progresses.

best,
THREDDS development team

@haileyajohnson haileyajohnson pinned this issue Dec 18, 2021
@haileyajohnson
Copy link
Author

haileyajohnson commented Dec 20, 2021

TDS 4.6.19 was released December 20th, 2021. It is identical to TDS 4.6.19-20211218.154246-4, other than that it is archived as an official release; it uses log4j 2.17.0 and addresses CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

You can get TDS 4.6.19 from the TDS downloads page.

@haileyajohnson
Copy link
Author

As of December 28th, 2021, log4j 2.17.0 is known to be vulnerable to CVE-2021-44832. We have published a TDS 4.6.20-SNAPSHOT which uses log4j 2.17.1 - this snapshot is now the recommended version of TDS 4.6.x. You can get it from the TDS downloads page.

We will release TDS 4.6.20 sometime soon, but are choosing to "wait and see" how the issue evolves for the time being.

@rsignell-usgs
Copy link
Contributor

rsignell-usgs commented Jan 3, 2022

@haileyajohnson we run thredds using the unidata-created docker containers. I currently see the latest as 4.6.19 here:
https://hub.docker.com/r/unidata/thredds-docker/tags, pushed 12 days ago by @julienchastang.

Could we get the latest version pushed please?

@gajowi
Copy link

gajowi commented Jan 4, 2022

I'm keen to also have a v5 container. So I assume for the log4j issue I'm now waiting on 5.4 (with the same log4j updates as 4.6.20).
related thredds-docker issue

@julienchastang
Copy link
Member

@rsignell-usgs @gajowi jumping in a little late in the game here, but now that 5.3 has been belatedly released, on the docker side do you need SNAPSHOT releases for TDS 4 and 5? The thing is that CVE-2021-44832 was a lot less severe than the original set of log4j vulnerabilities, and I would like to hold off until 5.4, if possible before making a Docker release.

@gajowi
Copy link

gajowi commented Jan 7, 2022 via email

@gajowi
Copy link

gajowi commented Feb 6, 2022

The wait has been far longer than I anticipated. Will there be 5.4 and 4.6.20 releases soon?
I think I have learned that I need to rely harder on the snapshots and my own testing/CD process. I'd previously been relying on 'major' releases and unidata built containers. That was convenient, but it seems like it does not offer enough control in cases like this. That said, such a major and broad security flaw is not exactly a common event...

@haileyajohnson
Copy link
Author

haileyajohnson commented Feb 8, 2022

@gajowi We're aiming to get the new releases out next Friday (2/18), it has been a quite a wait now. Everything you've said is spot on though, these past few months have not been "the norm" for our releases, but to really stay on top of security and bug fixes, snapshots are the way to go.

@gajowi
Copy link

gajowi commented Feb 22, 2022

I see 4.6.20 but no 5.4. Is that scheduled?

@haileyajohnson
Copy link
Author

haileyajohnson commented Feb 22, 2022

5.4 release date is still TBA. Getting it in shape as a stable, long-term release has turned out to be a heavier lift than expected, but it is my top priority right now. Sorry for the delays.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants