NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello THREDDS users, Apologies for the late Friday email, but as many of you may have seen, an RCE exploit was identified in the log4j library last night (see this post <https://www.lunasec.io/docs/blog/log4j-zero-day/> and CVE <https://www.randori.com/blog/cve-2021-44228/>). This affects all TDS users (4.6.x and 5.x), and some netCDF-Java users. Please read on for information on mitigation. netCDF-Java The netCDF-Java library uses SLF4J logging <http://www.slf4j.org/>, which released this statement <http://mailman.qos.ch/pipermail/announce/2021/000163.html> this morning, stating the vulnerability is present under the SLF4J library when log4j is being used as the backend. If you are using log4j as your netCDF-Java logging implementation, you will need to upgrade to the newest release ( 2.15.0). TDS Both TDS 4.6.x and 5.x use the log4j library, and are therefore impacted by the vulnerability. New releases of both are now available and use the latest release of log4j (2.15.0 <http://2.15.0.0/>). The stable release of TDS 4.6.x is now at 4.6.18 <https://github.com/Unidata/thredds/releases> and the stable release of TDS 5.x is now at 5.3 <https://github.com/Unidata/tds/releases>. You can find both on the downloads <https://www.unidata.ucar.edu/downloads/tds/>page. JDK versions *JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1, are reportedly not affected* by the LDAP attack vector ( https://www.lunasec.io/docs/blog/log4j-zero-day/). If you are using one of these JDKs, upgrading your TDS or logging library may be less critical (though still *highly *advisable). As a general note, staying on top of your JDK version can help provide some protection against security vulnerabilities. All the best, The THREDDS development team -- Hailey Johnson (she/her) Software Engineer | THREDDS Developer Unidata | UCAR Community Programs (UCP)
thredds archives: