Dspace security matters

[Noorhafizah Mohd Akil]

Hello, 

Dear all.

I have a security concern with DSpace. Our web server was the victim of a web shell assault that provided backdoor access to the web server directory. We are still in the inquiry phase right now.

Our system currently utilizes Dspace 6.3, and the most recent version I could find was 7.4.

Does version 6.3 require any patches throughout the upgrade of the version.

Thank you.

[Noorhafizah Mohd Akil]

In addition. we are running Dspace on Ubuntu 18.04.2 LTS

[Tim Donohue]

Hi,

Since you are on DSpace 6.3, I'd recommend minimally upgrading to DSpace 6.4 as it includes a large number of security fixes to the 6.x platform.  See the release notes at 

https://wiki.lyrasis.org/display/DSDOC6x/Release+Notes#ReleaseNotes-6.4ReleaseNotes

That said, it's worth being aware that 6.x is nearly "end of life".  Announcements went across these mailing lists last year.  Here's the end of life information: https://wiki.lyrasis.org/display/DSPACE/Support+for+DSpace+5+and+6+is+ending+in+2023

The latest version of DSpace is 7.4 (and 7.5 is coming soon in February).  It is the most secure of our releases.    So, you may wish to consider an upgrade at some point (this is a major upgrade as there is a brand new User Interface, etc).  See release notes at https://wiki.lyrasis.org/display/DSDOC7x/Release+Notes

If you have additional questions, let us know on this list.  If you wish to report security issues, see our Software support policy for how to do so: https://wiki.lyrasis.org/display/DSPACE/DSpace+Software+Support+Policy

Thanks,

Tim Donohue