Vulnerability subject to the GeoNetwork Enterprise responsible disclosure policy. This policy applies to you our customers, please do not share this sensitive content.
2021-12-09: Log4j2 Remote Code Execution CVE-2021-44228 vulnerability patch for GeoNetwork Enterprise
GeoNetwork Enterprise 2020.5.5 and earlier are vulnerable.
Users using GeoNetwork Enterprise 2020.5.5 and earlier are advised to apply the following hotfix.
- Download the file log4j-core-2.7.jar:
- This hotfix removes the JndiLookup.class class to mitigate the issue as described in CVE-2021-44228.
The vulnerability relies on using JNDI to contact an LDAP service, by removing JndiLookup.class this vulnerability is mitigated.
- Stop Tomcat
- Copy the log4j-core-2.7.jar to the folder TOMCAT_DIR/geonetwork/WEB-INF/lib
It is important that this file replace the existing jar at this location.
- Restart Tomcat
Customers making use of geonetwork.war as part of automated deployment are asked to repackage the geonetwork war to include the above log4j-core-2.7.jar file (to avoid Tomcat redeploying the vulnerability on restart).
Please update to GeoNetwork Enterprise 2020.5.6-1 which makes use of the recommended Apache Log4j 2.17.0 library not subject to this vulnerability.