Is Nikita affected by the recent Log4J2 Vulnerability?
Thomas Sødring
tsodring at oslomet.no
Wed Dec 15 10:57:50 CET 2021
Hi,
With the recent news about the log4j2 vulnerability I was asked if
nikita was affected. Initially, I did not believe it was. spring.io had
an announcement that spring with default configuration is not affected.
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
However java dependency management introduces lots of related
dependencies. I am unsure how these dependencies are vulnerable.
I have taken the recommended steps to mitigate this problem. I will
document our approach here:
https://gitlab.com/OsloMet-ABI/nikita-noark5-core/-/issues/207
Currently there are only 4 dependencies left before we can rule out if
nikita is vulnerable or not.
The nikita test instance (api and gui) has been pulled off the general
internet by Oslomet and is only available to those that connect to the
Oslomet vpn. I expect this situation to continue for a number of weeks.
- Thomas
More information about the nikita-noark
mailing list