We get contacted by EGI security to comment on PostgreSQL vulnerability CVE-2022-1552.
The dCache itself is not affected. Moreover, the most of the installations do not share postgresql used by dCache with other services, thus there are no other users ‘having permission to create non-temp objects’ on the same DB.
Nonetheless, we encourage sites to update the postgresql servers to recommended versions at the next possible maintenance slot.
A critical security vulnerability CVE-2021-44228 has been identified in the popular “Apache Log4j 2” library (2.x <= 2.15.0-rc1). This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityÔądcache.org. Thanks for that!
Log4j in dCache dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages. It is therefore not affected.
Log4j in ZooKeeper and Kafka Like many Java based projects, ZooKeeper and Apache Kafka use Log4j as their logging library.
A critical security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-23307 has been identified in the “Apache Apache Chainsaw” library. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. This has raised concerns among many dCache admins, who have contacted us either directly or by sending a message to securityÔądcache.org. Thanks for that!
Log4j in dCache dCache uses logback as the default logging solution and does not distribute the Log4j library with officially released packages.