Postgresql and ERDDAP (Important if you use Postgresql with ERDDAP

[Roy Mendelssohn - NOAA Federal]

A critical vulnerability has been identified in the Postgresql JDBC driver. If you are using Postgresql with ERDDAP, please update as soon as possible and let us know if it causes any problems. In the instructions it points to:

> https://mvnrepository.com/artifact/org.postgresql/postgresql

as one place to get the driver. The instructions on where to put the JDBC driver and other settings are:

> JDBC Driver and <driverName> -- You must get the appropriate JDBC 3 or JDBC 4 driver .jar file for your database and
> put it in tomcat/webapps/erddap/WEB-INF/lib after you install ERDDAP. Then, in your datasets.xml for this dataset, you must specify the <driverName> for this driver, which is (unfortunately) different from the filename. Search on the web for the JDBC driver for your database and the driverName that Java needs to use it.
>
> After you put the JDBC driver .jar in ERDDAP lib directory, you need to add a reference to that .jar file in the .bat and/or .sh script files for GenerateDatasetsXml, DasDds, and ArchiveADataset which are in the tomcat/webapps/erddap/WEB-INF/ directory; otherwise, you'll get a ClassNotFoundException when you run those scripts.

Note that this update can be done without an update to the rest of ERDDAP, but as always we recommend running the latest version of ERDDAP (presently 2.23).

Thanks,

-Roy



**********************
"The contents of this message do not reflect any position of the U.S. Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/

"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.

[bobsimons2.00]

I think Roy's instructions are not right in a few ways and not optimal in several ways. I think these are better instructions:

1. In the [tomcat]/webapps/erddap/WEB-INF/jar directory, admins should move the current postgresql...jar file(s) (there may be 1 or 2!) to some other directory outside of the [tomcat] directory (but keep it/them in the unlikely event that the changes below cause ERDDAP to not work). 
2. At https://mvnrepository.com/artifact/org.postgresql/postgresql, admins should click on "42.7.2" then "jar" to download the latest postgres .jar file. Place it in the [tomcat]/webapps/erddap/WEB-INF/jar directory. 
   
3. In your datasets.xml file, for each of the EDDTableFromDatabase dataset that uses Postgresql, the <driverName> should already be "org.postgresql.Driver" and thus doesn't need to be changed, but it's a good idea to verify this.
4. Unless you have a very old version of ERDDAP (which would be very bad because there would be other security vulnerabilities), there shouldn't be a reference to the postgresl .jar file in the .bat and .sh script files for GenerateDatasetsXml, DasDds, and ArchiveADataset which are in the [tomcat]/webapps/erddap/WEB-INF/ . If those files do refer to the postgres jar file's name, you do need to change the reference to the new file name, but it would be vastly better to update your ERDDAP installation to the current 2.23 version.
5. Restart your ERDDAP so the changes take effect.

If I made a mistake or if you have suggestions for improvement, please let me know.