Tracking log4j security issues

[haileyajohnson]

Hello THREDDS users - this issue is being opened to keep users who are not subscribed to the mailing list updated on the log4j and TDS saga.

As of December 18th, 2021, the recommended releases of the TDS are snapshot releases, 5.3-SNAPSHOT and 4.6.19-20211218.154246-4. Both can be found on the TDS downloads page. These releases use log4j 2.17.0 and address CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

The THREDDS team plans to release an official (non-snapshot) release of both TDS 5.x and 4.6.x next week, however there is no difference between a snapshot and a full release other than the process of naming and archiving the version. The snapshots available are complete and stable.

We will keep you updated here as the situation progresses.

best,
THREDDS development team

[haileyajohnson]

TDS 4.6.19 was released December 20th, 2021. It is identical to TDS 4.6.19-20211218.154246-4, other than that it is archived as an official release; it uses log4j 2.17.0 and addresses CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

You can get TDS 4.6.19 from the TDS downloads page.

[haileyajohnson]

As of December 28th, 2021, log4j 2.17.0 is known to be vulnerable to CVE-2021-44832. We have published a TDS 4.6.20-SNAPSHOT which uses log4j 2.17.1 - this snapshot is now the recommended version of TDS 4.6.x. You can get it from the TDS downloads page.

We will release TDS 4.6.20 sometime soon, but are choosing to "wait and see" how the issue evolves for the time being.

[rsignell-usgs]

@haileyajohnson we run thredds using the unidata-created docker containers. I currently see the latest as 4.6.19 here:
https://hub.docker.com/r/unidata/thredds-docker/tags, pushed 12 days ago by @julienchastang.

Could we get the latest version pushed please?

[gajowi]

I'm keen to also have a v5 container. So I assume for the log4j issue I'm now waiting on 5.4 (with the same log4j updates as 4.6.20).
related thredds-docker issue

[julienchastang]

@rsignell-usgs @gajowi jumping in a little late in the game here, but now that 5.3 has been belatedly released, on the docker side do you need SNAPSHOT releases for TDS 4 and 5? The thing is that CVE-2021-44832 was a lot less severe than the original set of log4j vulnerabilities, and I would like to hold off until 5.4, if possible before making a Docker release.

[gajowi]

Thanks Julien. I'm personally happy to wait, given I'm not expecting a long wait.

…

On Thu, 6 Jan 2022, 6:02 am Julien Chastang, ***@***.***> wrote: @rsignell-usgs <https://github.com/rsignell-usgs> @gajowi <https://github.com/gajowi> jumping in a little late in the game here, but now that 5.3 has been belatedly released <Unidata/thredds-docker#258>, on the docker side do you need SNAPSHOT releases for TDS 4 and 5? The thing is that CVE-2021-44832 <https://nvd.nist.gov/vuln/detail/CVE-2021-44832> was a lot less severe than the original set of log4j vulnerabilities, and I would like to hold off until 5.4, if possible before making a Docker release. — Reply to this email directly, view it on GitHub <#1381 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAUSKFMC4B737U5V7ND4ASTUUSIT3ANCNFSM5KKZYV6A> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[gajowi]

The wait has been far longer than I anticipated. Will there be 5.4 and 4.6.20 releases soon?
I think I have learned that I need to rely harder on the snapshots and my own testing/CD process. I'd previously been relying on 'major' releases and unidata built containers. That was convenient, but it seems like it does not offer enough control in cases like this. That said, such a major and broad security flaw is not exactly a common event...

[haileyajohnson]

@gajowi We're aiming to get the new releases out next Friday (2/18), it has been a quite a wait now. Everything you've said is spot on though, these past few months have not been "the norm" for our releases, but to really stay on top of security and bug fixes, snapshots are the way to go.

[gajowi]

I see 4.6.20 but no 5.4. Is that scheduled?

[haileyajohnson]

5.4 release date is still TBA. Getting it in shape as a stable, long-term release has turned out to be a heavier lift than expected, but it is my top priority right now. Sorry for the delays.