DSpace and OpenSSL 3.0.x

[sbu...@oakland.edu]

Our central IT has warned us of an OpenSSL vulnerability and requested that we check with the developers/vendors for any needed patches. We are on DSpace 5.11. Does this version, or version 7.4 (which we are planning to move to) require a patch for this vulnerability?

Thank you!
Sarah

[DSpace Technical Support]

Hi Sarah,

DSpace doesn't include any direct dependency to a specific version of OpenSSL, so there is nothing to patch for the application software itself.

You might need to patch your server that is hosting Tomcat (and/or Apache HTTPD if offloading SSL in a reverse proxy) for DSpace, however. See https://www.snbforums.com/threads/sans-critical-openssl-3-0-x-vulnerability.81516/ for some expected versions on various operating systems / distros, and how to check which version of OpenSSL is installed.

Hope this helps!

Cheers

Kim