NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
A quick correction: The current release of the TDS is now *5.2 <https://github.com/Unidata/tds/releases>*, not 5.3 as stated in the previous email. The downloads on the TDS downloads <https://www.unidata.ucar.edu/downloads/tds/> page are the most current releases. Sorry for any confusion. On Fri, Dec 10, 2021 at 3:49 PM Hailey Johnson <hajohns@xxxxxxxx> wrote: > Hello THREDDS users, > > Apologies for the late Friday email, but as many of you may have seen, an > RCE exploit was identified in the log4j library last night (see this post > <https://www.lunasec.io/docs/blog/log4j-zero-day/> and CVE > <https://www.randori.com/blog/cve-2021-44228/>). This affects all TDS > users (4.6.x and 5.x), and some netCDF-Java users. Please read on for > information on mitigation. > > netCDF-Java > The netCDF-Java library uses SLF4J logging <http://www.slf4j.org/>, which > released this statement > <http://mailman.qos.ch/pipermail/announce/2021/000163.html> this morning, > stating the vulnerability is present under the SLF4J library when log4j is > being used as the backend. If you are using log4j as your netCDF-Java > logging implementation, you will need to upgrade to the newest release ( > 2.15.0). > > TDS > Both TDS 4.6.x and 5.x use the log4j library, and are therefore impacted > by the vulnerability. New releases of both are now available and use the > latest release of log4j (2.15.0 <http://2.15.0.0/>). The stable release > of TDS 4.6.x is now at 4.6.18 > <https://github.com/Unidata/thredds/releases> and the stable release of > TDS 5.x is now at 5.3 <https://github.com/Unidata/tds/releases>. You can > find both on the downloads <https://www.unidata.ucar.edu/downloads/tds/> > page. > > JDK versions > *JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1, are reportedly > not affected* by the LDAP attack vector ( > https://www.lunasec.io/docs/blog/log4j-zero-day/). If you are using one > of these JDKs, upgrading your TDS or logging library may be less critical > (though still *highly *advisable). As a general note, staying on top of > your JDK version can help provide some protection against security > vulnerabilities. > > All the best, > The THREDDS development team > > -- > Hailey Johnson (she/her) > Software Engineer | THREDDS Developer > Unidata | UCAR Community Programs (UCP) > -- Hailey Johnson (she/her) Software Engineer | THREDDS Developer Unidata | UCAR Community Programs (UCP)
thredds archives: