Closed hortongn closed 11 months ago
We can upgrade to version 1.15.5 to fix the log4jf vulnerability.
We should test it in our local environment and then on scholar-dev to make sure that version of FITS works well with Hyrax. Try it with all types of files and verify it is extracting the technical metadata properly. Some versions of FITS are known to not work well with Samvera.
There is a FITS Servlet now available that increases Hyrax performance 4x. Page Load Times with FITS Servlet : 3 Seconds Page Load Times with FITS utility : 12 Seconds Page Load Times with PostGres v Fedora : .5 Seconds I am making an issue for it. https://github.com/harvard-lts/FITSservlet
FITS Description on DEV (1.5.5)
Height: 591 Width: 811 File Format: jpeg (JPEG File Interchange Format) File Size: 54279 Original Checksum: 123bbb19a218f846e5b41fbfd53869d7 Mime Type: image/jpeg
FITS Description on QA (1.5.5)
Height: 591 Width: 811 File Format: jpeg (JPEG File Interchange Format) File Size: 54279 Original Checksum: 123bbb19a218f846e5b41fbfd53869d7 Mime Type: image/jpeg
FITS Description on PROD (1.5.5)
Height: 591 Width: 811 File Format: jpeg (JPEG File Interchange Format) File Size: 54279 Original Checksum: 123bbb19a218f846e5b41fbfd53869d7 Mime Type: image/jpeg
Closed with upgrade of FITS to version 1.5.5 on all web servers.
Descriptive summary
Info Sec is requiring us to upgrade our Log4j instances to a current, safe version. FITS includes Log4j 1.x.
A new version of FITS was just released on 1/3/22 to address security issues, but they didn't upgrade FITS. https://github.com/harvard-lts/fits/releases/tag/1.5.1
We need to explore how we can remove or upgrade Log4j without breaking FITS. Keep in mind that some versions of FITS are known to not work so well with Hyrax.