Upgrade Spring version from 5.3.27 to 5.3.32 due to vulnerability issue

[Salony Permanand]

Hello All,

I am using DSpace 7.6 version .

I have an vulnerability issue with Spring version in my Dspace

It throws warning as "Applications that use 'UriComponentsBuilder' to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on
the host of the parsed URL may be vulnerable to a open redirect attack"

The only solution available is upgrade from 5.3.27 to 5.3.32(which is secure version).

But when I am trying to upgrade it create lots of issues with DSpace version and not supported.

Can anyone help regarding that and suggest what to do

Any help is highly appreciated

[Salony Permanand]

Hello All,

As per my understanding I updated the spring version from 5.3.27 to 5.3.32 in pom.xml file

After doing that I rebuild the backend code using mvn clean package and ant fresh install command

While rebuilding I was getting error "Dependency convergence error for org.springframework:spring-context-support".

I resolved that error and build done successfully.

I want to know that only these steps are needed to upgrade spring in DSpace or I am missing some steps

How should I check that Now Server is using upgraded Spring version

Any suggestion or help is highly appreciated

[DSpace Technical Support]

Hi,

The Spring vulnerability you are likely mentioning is this one: https://spring.io/security/cve-2024-22243

While this is a security issue in Spring, at this time, we do not believe it impacts DSpace directly because DSpace doesn't use the UriComponentsBuilder in the way that is described by the vulnerability.  Nonetheless, we have already applied this Spring upgrade to our "dspace-7_x" branch in our backend's codebase: https://github.com/DSpace/DSpace/tree/dspace-7_x    That way the upgrade will be included in the 7.6.2 release.

If you wish to apply these same changes locally, the necessary changes to 7.x are all found in this PR: https://github.com/DSpace/DSpace/pull/9376

As a sidenote, there was also a later follow-up security issue from Spring in https://spring.io/security/cve-2024-22259 which reports that they failed to fully fix that issue in Spring 5.3.32.  

The secondary fix was to simply update to Spring 5.3.33, which we did in this PR: https://github.com/DSpace/DSpace/pull/9422

Again, neither of these Spring updates seem like they are required for DSpace sites at this time.  Both will be include in the DSpace 7.6.2 release (date is to be announced). That said,  if you feel safer applying them early, then you are welcome to do so via the two PRs above (or via the `dspace-7_x` maintenance branch).

Tim

[Salony Permanand]

Thanks for Reply

Salony Permanand

Mob: 7275838206

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/d5896a63-6060-4c66-ac88-23e01d69be15n%40googlegroups.com.