Lately, the critical Apache Log4j vulnerability CVE-2021-44228 in the Apache Log4j library has been announced.
The ECaccess Gateway is using Apache Log4j v1.x which is not directly affected by the Log4shell vulnerability. There is still a possibility of being hit by the JNDI issue but only if the JMS appender was configured in the "log4j.properties" files, which is definitely not the case. However, if you are really concerned, you can always add the following lines in the "gateway" startup script (along with the other java options):
JAVA_OPTS=$JAVA_OPTS" -Dcom.sun.jndi.rmi.object.trustURLCodebase=false"
JAVA_OPTS=$JAVA_OPTS" -Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false”
And restart the gateway to apply the change.
Only if you wish to download the ECaccess Gateway package, please first register at one of the ECaccess Registration Centre:
- Through the Internet: https://ecaccess.ecmwf.int/registration/login.jsp
- Through the RMDCN: https://msaccess.ecmwf.int/registration/login.jsp
If you are to perform the administrative task of installing and/or maintaining the ECaccess software, you should study the Administrator's Manual.
If you wish to export the ECtrans Associations from an existing ECaccess Gateway to a new Gateway then you should follow the procedure described in ECtrans Associations Export - Import.
If you wish to upgrade an existing ECaccess Gateway then please follow the procedure described in Gateway Upgrade.
The minimum requirement for the Gateway package is Java1.8.x, however we recommend installing the latest JDK from Oracle available at the following URL:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
The Gateway software is currently running at ECMWF using the Oracle Java version "1.8.0_60" - Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode).
Releases
Please note the following package requires at least Java 1.8.x to be installed.