NOTICE: DSpace 7 is impacted by new "Spring4Shell" zero-day vulnerability. Does not impact DSpace 6 or below.
44 views
Skip to first unread message
Tim Donohue
Apr 1, 2022, 10:33:42 AM4/1/22
to DSpace Community, DSpace Technical Support, DSpace Developers
All,
You may have heard or been notified about a new significant vulnerability in the Java Spring Framework nicknamed Spring4Shell (CVE-2022-22965): https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
DSpace 7 is impacted by this vulnerability
provided that you are running the DSpace 7 backend on Apache Tomcat (which most likely are).
DSpace 6.x or below (5.x, 4.x, etc) are NOT impacted, as those releases of DSpace all used Java/JDK 8 or below. This vulnerability only occurs when running on Java/JDK 9 or above.
DSpace 6.x or below (5.x, 4.x, etc) are NOT impacted, as those releases of DSpace all used Java/JDK 8 or below. This vulnerability only occurs when running on Java/JDK 9 or above.
IMMEDIATE QUICK FIX OPTIONS
- Patch your DSpace 7 backend by applying the changes in this small PR: https://github.com/DSpace/DSpace/pull/8231 This patch may be applied to an existing 7.2, 7.1 or 7.0 site.
- NOTE: A DSpace 7.2.1 backend security release will be released later today (likely within the next 1-2 hours) with these same changes applied. A follow-up to this email will be sent when that release is available for download.
- And/Or, upgrade to Apache Tomcat version 9.0.62 (or a later 9.x release). This version of Apache Tomcat provides protection against the attack. Therefore, if you upgrade Tomcat, your existing DSpace 7 site should be protected.
Other common questions:
- Is DSpace vulnerable to the separate Spring Cloud vulnerability CVE-2022-22963? No, it is not. No version of DSpace has ever used Spring Cloud.
If there are other questions, feel free to ask them on this list!
Tim
Tim Donohue
Apr 1, 2022, 11:51:54 AM4/1/22
to DSpace Community, DSpace Technical Support, DSpace Developers
All,
The DSpace 7.2.1 release of the backend is also now available. This is a quick upgrade for any sites already running 7.2.
For the latest information on how to protect your site against Spring4Shell (CVE-2022-22965), see the list of options detailed in this PR: https://github.com/DSpace/DSpace/pull/8231
This includes listing options for anyone running 7.0 or 7.1.
(Again, sites running DSpace 6.x, 5.x, 4.x or other older releases are not impacted by the vulnerability)
If there are any further questions, let us know on this list.
Tim
From: Tim Donohue <tim.d...@lyrasis.org>
Sent: Friday, April 1, 2022 9:33 AM
To: DSpace Community <dspace-c...@googlegroups.com>; DSpace Technical Support <dspac...@googlegroups.com>; DSpace Developers <dspace...@googlegroups.com>
Subject: NOTICE: DSpace 7 is impacted by new "Spring4Shell" zero-day vulnerability. Does not impact DSpace 6 or below.
Sent: Friday, April 1, 2022 9:33 AM
To: DSpace Community <dspace-c...@googlegroups.com>; DSpace Technical Support <dspac...@googlegroups.com>; DSpace Developers <dspace...@googlegroups.com>
Subject: NOTICE: DSpace 7 is impacted by new "Spring4Shell" zero-day vulnerability. Does not impact DSpace 6 or below.
Reply all
Reply to author
Forward
0 new messages