All, You may have heard or been notified about a new significant vulnerability in the Java Spring Framework nicknamed Spring4Shell (CVE-2022-22965): https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
DSpace 7 is impacted by this vulnerability provided that you are running the DSpace 7 backend on Apache Tomcat (which most likely are). DSpace 6.x or below (5.x, 4.x, etc) are NOT impacted, as those releases of DSpace all used Java/JDK 8 or below. This vulnerability only occurs when running on Java/JDK 9 or above. IMMEDIATE QUICK FIX OPTIONS * Patch your DSpace 7 backend by applying the changes in this small PR: https://github.com/DSpace/DSpace/pull/8231 This patch may be applied to an existing 7.2, 7.1 or 7.0 site. * NOTE: A DSpace 7.2.1 backend security release will be released later today (likely within the next 1-2 hours) with these same changes applied. A follow-up to this email will be sent when that release is available for download. * And/Or, upgrade to Apache Tomcat version 9.0.62 (or a later 9.x release). This version of Apache Tomcat provides protection against the attack. Therefore, if you upgrade Tomcat, your existing DSpace 7 site should be protected. Other common questions: * Is DSpace vulnerable to the separate Spring Cloud vulnerability CVE-2022-22963? No, it is not. No version of DSpace has ever used Spring Cloud. * If there are other questions, feel free to ask them on this list! Tim -- Tim Donohue (he/him) Technical Lead, DSpace [email protected] Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [cid:b37945d1-2bbe-450c-80f6-031c8a2aa378] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/PH0PR22MB32743921920ABD20E87A555AEDE09%40PH0PR22MB3274.namprd22.prod.outlook.com.
