info

Vulnerability in PostgreSQL server

We get contacted by EGI security to comment on PostgreSQL vulnerability CVE-2022-1552. The dCache itself is not affected. Moreover, the most of the installations do not share postgresql used by dCache with other services, thus there are no other users ‘having permission to create non-temp objects’ on the same DB. Nonetheless, we encourage sites to update the postgresql servers to recommended versions at the next possible maintenance slot.

Migrating to a new website engine

After almost two decades, the dCache.org web content has been migrated from regular HTML pages written by hand to a modern static site generator based on hugo with the Mainroad template. This change will simplify the maintenance of the web pages and will allow developers to keep the content up-to-date. New pages and documentation can be added by simply dropping a file written in markdown format into the desired directory. The source code of the pages is available on GitHub and can be directly edited in a browser.

Log4j Vulnerability

A critical security vulnerability CVE-2021-44228 has been identified in the popular “Apache Log4j 2” library (2.x <= 2.15.0-rc1). This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityÔądcache.org. Thanks for that! Log4j in dCache dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages. It is therefore not affected. Log4j in ZooKeeper and Kafka Like many Java based projects, ZooKeeper and Apache Kafka use Log4j as their logging library.

Log4j 1.2 Vulnerability

A critical security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-23307 has been identified in the “Apache Apache Chainsaw” library. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityÔądcache.org. Thanks for that! Log4j in dCache dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages.

dCache is 20!

On the 16th of September 2000, at the Computer User Committee at DESY, a new project, A Homogeneous Distributed Storage Environment for Physics Data Processing, was presented. Its main objectives were to address storage system concerns after HERA and Tevatron accelerator upgrades at DESY and Fermilab. The new system had the following goals: Optimized usage of existing tape drives due to transfer rate adaption. Possible usage of slower and cheaper drive technology without overall performance reduction.