...
Updated: 6th of January 2022
Statement
Friday, 10 December 2021, our OWASP-scan alerted us to a vulnerability in Log4J, a commonly used open-source library for java applications. https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Analysis Delft-FEWS components and Log4Shell vulnerability CVE-2021-44228.
Worldwide, many java-based applications suffer from the Log4Shell vulnerability CVE-2021-44228. This is caused by a vulnerability in a log4j2 library. The log4j-core-2.11.1.jar is also shipped with the Delft-FEWS software in the 2018.02 - 2021.02 releases. Our users are right in demanding clarity of Deltares whether Delft-FEWS is impacted. Here is our summary of our analysis on the Delft-FEWS software.
...
The following fixes and updates are available :
...
for Delft-FEWS Stable versions 2019.02 - 2020.01 - 2020.02 - 2021.01 (and
...
release candidate 2021.02) :
- Fixed versions of Elastic Search and Thredds in Open Archive distributions.
- Updated distributions (for: Master Controller, Operator Client/Forecasting Shell Server, Admin Interface, Delft-FEWS Webservices, Database proxy) with log4j 2.17 .
- Updated distributions for model adapters maintained by Delft-FEWS using log4j 2.*: HEC-HMS, Kanali, Ribasim, SMAP, SWAN, SWMM and WANDA. The Delft3D model adapter is part of the Delft-FEWS code so this one is automatically part of the updated distributions.
Remark: an updated distribution for Delft-FEWS 2018.02 will be made available a.s.a.p.
For more information how to obtain new distributions, please contact fews.support@deltares.nl and visit the installation instruction page (wiki login required).
...