Issue 5: Update log4j and mitigate CVEs.

[jameswsullivan]

As in my reply here , this PR resolves the following CVEs:

log4j 1.2.17 -> 2.25.3:

• CVE-2019-17571 - Critical
• CVE-2022-23305 - Critical
• CVE-2022-23307 - Critical
• CVE-2021-4104 - High
• CVE-2022-23302 - High
• CVE-2023-26464 - High

The fix updates log4j 1.2.17 with:

• log4j-api 2.25.3
• log4j-core 2.25.3
• log4j-1.2-api 2.25.3

log4j-1.2-api provides the compatibility bridge so no code change is needed.

commons-lang 2.6 -> 3.20.0:

• CVE-2025-48924 - Medium

Other changes:

• net.handle 9.3.0 -> 9.3.2
• com.google.code.gson 2.8.6 -> 2.13.2

While working on the vulns I also changed the maven plugin to 3.11.0 and use Java 21 for build, as I was getting these errors:

[ERROR] COMPILATION ERROR :
[ERROR] Source option 7 is no longer supported. Use 8 or later.
[ERROR] Target option 7 is no longer supported. Use 8 or later.

Minor changes to the wiki are also needed to use the new log4j2 with the handle software, which I'll detail in a reply under this PR.

[jameswsullivan]

Handle Resolver Plugin Installation

The installation process remains largely the same besides the following changes:

In step 6, instead of using log4j-handle-plugin.properties file with the following content:

log4j.rootCategory=INFO, A1
log4j.appender.A1=org.apache.log4j.DailyRollingFileAppender
log4j.appender.A1.File=/hs/srv_1/logs/handle-plugin.log
log4j.appender.A1.DatePattern= '.' yyyy-MM-dd
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d %-5p %c @ %m%n
log4j.logger.org.apache.axis.handlers.http.HTTPAuthHandler=INFO

create a log4j2-handle-plugin.xml with the following:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">

    <Appenders>
        <RollingFile name="HandlePluginFile"
                     fileName="/hs/srv_1/logs/handle-plugin.log"
                     filePattern="/hs/srv_1/logs/handle-plugin.log. %d{yyyy-MM-dd}">

            <PatternLayout pattern="%d %-5p %c @ %m%n"/>

            <Policies>
                <TimeBasedTriggeringPolicy interval="1" modulate="true"/>
            </Policies>

            <DefaultRolloverStrategy max="30"/>

        </RollingFile>
    </Appenders>

    <Loggers>
        <Logger name="org.apache.axis.handlers.http.HTTPAuthHandler" level="info"/>

        <Root level="info">
            <AppenderRef ref="HandlePluginFile"/>
        </Root>
    </Loggers>

</Configuration>

In step 8, instead of using:

-Dlog4j.configuration=file:///hs/srv_1/log4j-handle-plugin.properties -Ddspace.handle.plugin.configuration=/hs/srv_1/handle-dspace-plugin.cfg

in /hs/handle-9.1.0/bin/hdl, use:

-Dlog4j.configurationFile=file:///hs/srv_1/log4j2-handle-plugin.xml -Ddspace.handle.plugin.configuration=/hs/svr_1/handle-dspace-plugin.cfg

---

Add log4j2 artifacts to handle software

Download the latest handle software from https://www.handle.net/download_hnr.html , follow the normal installation process detailed here, and add the following log4j artifacts into the handle software's lib directory:

• log4j-1.2-api-2.25.3.jar
• log4j-api-2.25.3.jar
• log4j-core-2.25.3.jar

Or, use my unofficial copy of the handle software with the updates already added.

[jameswsullivan]

Handle Software Vulnerabilities

If you opt to use my updated version of the handle software, it also contains jetty updates that mitigate the following CVEs:

• CVE-2024-22201 - High
• CVE-2025-5115 - High
• CVE-2023-36478 - High
• CVE-2022-2048 - High
• CVE-2021-28165 - High
• CVE-2024-13009 - High
• CVE-2020-27216 - High
• CVE-2023-44487 - Medium
• CVE-2023-44487 - Medium
• CVE-2023-40167 - Medium
• CVE-2024-6763 - Medium
• CVE-2019-10241 - Medium
• CVE-2019-10246 - Medium
• CVE-2019-10247 - Medium
• CVE-2020-27218 - Medium
• CVE-2020-27223 - Medium
• CVE-2023-26048 - Medium
• CVE-2024-8184 - Medium
• CVE-2021-28169 - Medium
• CVE-2024-9823 - Medium
• CVE-2022-2047 - Low
• CVE-2021-34428 - Low
• CVE-2023-26049 - Low
• CVE-2023-36479 - Low
• GHSA-58qw-p7qm-5rvh - Low

[jameswsullivan]

@kshepherd @misilot @tdonohue Alright the PR is up.

[pnbecker]

@jameswsullivan thank you for your wok on this, it's highly appreciated.