Fwd: Security Vulnerability in ERDDAP v2.15+

Skip to first unread message

Roy Mendelssohn - NOAA Federal

Nov 21, 2022, 7:50:46 PM11/21/22
to 'Mathew Biddle - NOAA Federal' via ioos_tech
If you haven't seen this post from Bob,  please note and take appropriate action.



PS - And yes,  ERDDAP is still active and well.  

Begin forwarded message:

From: Bob Simons <bobsim...@gmail.com>
Subject: Security Vulnerability in ERDDAP v2.15+
Date: November 21, 2022 at 2:52:03 PM PST
To: undisclosed-recipients:;

There is a security vulnerability related to the language selection dropdown (which usually appears in the upper right of every HTML page) in ERDDAP v2.15 and above. I'm working on a fix but it appears to be more complicated than I initially thought, so it may take a while. 

In the meantime (i.e., immediately), you can and should remove the vulnerability by removing "&language;" from <startBodyHtml5> in your datasets.xml. That will cause the language selection dropdown to disappear. If you then flag any dataset or wait for loadDatasets to run by itself, the change will take effect. 

Or, if your <startBodyHtml5> tag is empty (or non-existent), replace it temporarily with 
<table class="compact nowrap" style="width:100%; background-color:#128CB5;">
    <td style="text-align:center; width:80px;"><a rel="bookmark"
      title="National Oceanic and Atmospheric Administration"
      src="&erddapUrl;/images/noaab.png" alt="NOAA"
    <td style="text-align:left; font-size:x-large; color:#FFFFFF; ">
    <td style="text-align:right; font-size:small;">
      <a title="National Oceanic and Atmospheric Administration" rel="bookmark"
      <a title="National Marine Fisheries Service" rel="bookmark"
      <a title="Southwest Fisheries Science Center" rel="bookmark"
      <a title="Environmental Research Division" rel="bookmark"
      &nbsp; &nbsp;

Again: if you then flag any dataset or wait for loadDatasets to run by itself, the change will take effect. 

Or, if your ERDDAP isn't set up to show the language dropdown (usually in the upper right of every HTML page's banner), there is no vulnerability.

To be super clear: if the language dropdown is gone, the vulnerability is gone.

I hope that makes sense. If you have any questions, please let me know.

Best wishes.

"The contents of this message do not reflect any position of the U.S. Government or NOAA."
Roy Mendelssohn
Supervisory Operations Research Analyst
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/

"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected" 
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.

St Savage, Shane

Nov 22, 2022, 12:05:54 PM11/22/22
to ioos...@googlegroups.com
For those running ERDDAP in docker-compose, you can apply the startBodyHtml5 fix via the ERDDAP_startBodyHtml5 environment variable  by using a multiline yaml string like so:

      ERDDAP_startBodyHtml5: >

If you're not using docker-compose you can of course supply the ERDDAP_startBodyHtml5 by other means, but the yaml approach is nice and clean.


From: 'Roy Mendelssohn - NOAA Federal' via ioos_tech <ioos...@googlegroups.com>
Sent: Monday, November 21, 2022 16:50
To: 'Mathew Biddle - NOAA Federal' via ioos_tech <ioos...@googlegroups.com>
Subject: [ioos_tech] Fwd: Security Vulnerability in ERDDAP v2.15+
You received this message because you are subscribed to the Google Groups "ioos_tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ioos_tech+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ioos_tech/69779E17-6514-4F38-BCF7-FEF88F575DF9%40noaa.gov.
Reply all
Reply to author
0 new messages