Status on Log4Shell

[tschmidtb51]

Dear colleagues,

is there any official statement about the status of dataverse regarding the log4j related vulnerabilities

• CVE-2021-4104
• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105

which the software list at NCSC-NL/log4shell could link to?
It looks like dataverse uses log4j at least through different sub-components.

[qqmyers]

FWIW: I'm not aware of an official web page, but security contacts have been notified and a broader announcement was made on the community mail list with info on how to join that list.

[pdurbin]

Good point, @qqmyers. Thanks. That's probably the most official thing we've written so far about log4j.

@tschmidtb51 I just drafted some release notes for Dataverse 5.10 (PR #8464). In them, I wrote this...

Administrators can run a version of Dataverse that doesn't include a version of log4j with known vulnerabilities. (PR #8377)

Is that the sort of official statement you're looking for?

[tschmidtb51]

Yes. Thank you!

When will 5.10 be released?

[pdurbin]

You know, we just got the same question at #8457 (comment) and I'll give the same answer, soon but when it's ready. 😄

By the way, we've already iterated on the wording a couple times. The latest is this:

Administrators can run a version of the Dataverse Software that doesn't include any version of log4j (neither version 1 nor 2). log4j2 has never been included with the Dataverse Software. As of this version, neither does the Dataverse Software include log4j1, which had vulnerabilities that were much less severe than log4j2. We are not aware of any practical exploits that could be used to compromise the Dataverse Software based on its inclusion of log4j1 in previous releases. (PR #8377)