Hello THREDDS users,
Apologies for the late Friday email, but as many of you may have seen, an
RCE exploit was identified in the log4j library last night (see this post
<https://www.lunasec.io/docs/blog/log4j-zero-day/> and CVE
<https://www.randori.com/blog/cve-2021-44228/>). This affects all TDS users
(4.6.x and 5.x), and some netCDF-Java users. Please read on for information
on mitigation.
netCDF-Java
The netCDF-Java library uses SLF4J logging <http://www.slf4j.org/>, which
released this statement
<http://mailman.qos.ch/pipermail/announce/2021/000163.html> this morning,
stating the vulnerability is present under the SLF4J library when log4j is
being used as the backend. If you are using log4j as your netCDF-Java
logging implementation, you will need to upgrade to the newest release (
2.15.0).
TDS
Both TDS 4.6.x and 5.x use the log4j library, and are therefore impacted by
the vulnerability. New releases of both are now available and use the
latest release of log4j (2.15.0 <http://2.15.0.0/>). The stable release of
TDS 4.6.x is now at 4.6.18 <https://github.com/Unidata/thredds/releases>
and the stable release of TDS 5.x is now at 5.3
<https://github.com/Unidata/tds/releases>. You can find both on the downloads
<https://www.unidata.ucar.edu/downloads/tds/>page.
JDK versions
*JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1, are reportedly
not affected* by the LDAP attack vector (
https://www.lunasec.io/docs/blog/log4j-zero-day/). If you are using one of
these JDKs, upgrading your TDS or logging library may be less critical
(though still *highly *advisable). As a general note, staying on top of
your JDK version can help provide some protection against security
vulnerabilities.
All the best,
The THREDDS development team
--
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)