Versions Compared

Old Version 14

changes.mady.by.user Gerben Boot

Saved on

compared with

New Version Current

changes.mady.by.user Camiel van Breugel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Updated: 6th of January 2022

Statement

Friday, 10 December 2021, our OWASP-scan alerted us to a vulnerability in Log4J, a commonly used open-source library for java applications. https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Analysis Delft-FEWS components and Log4Shell vulnerability CVE-2021-44228.

Worldwide, many java-based applications suffer from the Log4Shell vulnerability CVE-2021-44228. This is caused by a vulnerability in a log4j2 library. The log4j-core-2.11.1.jar is also shipped with the Delft-FEWS software in the 2018.02 - 2021.02 releases. Our users are right in demanding clarity of Deltares whether Delft-FEWS is impacted.  Here is our summary of our analysis on the Delft-FEWS software. 

...

The following fixes and updates are available :

...

for Delft-FEWS Stable versions 2019.02 - 2020.01 - 2020.02 - 2021.01 (and

...

release candidate 2021.02) :

  • Fixed versions of Elastic Search and Thredds in Open Archive distributions. 
  • Updated distributions (for: Master Controller, Operator Client/Forecasting Shell Server, Admin Interface, Delft-FEWS Webservices, Database proxy) with log4j 2.17 .
  • Updated distributions for model adapters maintained by Delft-FEWS using log4j 2.*: HEC-HMS, Kanali, Ribasim, SMAP, SWAN, SWMM and WANDA. The Delft3D model adapter is part of the Delft-FEWS code so this one is automatically part of the updated distributions.

Remark: an updated distribution for Delft-FEWS 2018.02 will be made available a.s.a.p.

For more information how to obtain new distributions, please contact fews.support@deltares.nl and visit the installation instruction page (wiki login required).

...