All,
In recent weeks, several security vulnerabilities where discovered in
the JSPUI of DSpace 3.x, 4.x and 5.x sites. This vulnerability does NOT
affect XMLUI-based sites.
While these security vulnerabilities vary in severity (see below), WE
RECOMMEND ALL JSPUI-based SITES CONSIDER UPGRADING TO EITHER DSPACE 3.5,
4.4 OR 5.4 to ensure your site is secure. (Please note that the DSpace
5.4 release also includes bug fixes and memory usage enhancements.)
* DSpace 5.4 Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
* DSpace 4.4 Release Notes:
https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
* DSpace 3.5 Release Notes:
https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.5+Notes
Summary of JSPUI Vulnerabilities:
------------------------------------------------
* [MEDIUM SEVERITY] Cross-site scripting (XSS injection) is possible
in JSPUI search interface (in Firefox web browser). (DS-2736
<https://jira.duraspace.org/browse/DS-2736> - /requires a JIRA
account to access for two weeks, and then will be public/): This
vulnerability could allow someone to embed dangerous Javascript code
into links to search results. If a user was emailed such a link and
clicked it, the javascript would be run in their local browser. This
vulnerability has existed since DSpace 3.x, and was discovered by
Genaro Contreras
* [LOW SEVERITY] Expression language injection (EL Injection) is
possible in JSPUI search interface. (DS-2737
<https://jira.duraspace.org/browse/DS-2737> - /requires a JIRA
account to access for two weeks, and then will be public/): This
vulnerability could allow someone to obtain information from the
site/server using JSP syntax. This vulnerability has existed since
DSpace 3.x, and was discovered by Genaro Contreras
If you or your institution have any further questions about these
vulnerabilities, please feel free to email the DSpace Tech Support
mailing list (https://groups.google.com/forum/#!forum/dspace-tech).
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups "DSpace
Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
