All,
Recently, several security vulnerabilities where discovered in the XMLUI,
JSPUI and REST API.
WE RECOMMEND ALL SITES UPGRADE TO EITHER DSPACE 6.1, 5.7 or 4.8 to ensure
your site is secure, or manually patch your site using the tickets detailed
below. (Please note that the DSpace 6.1 and 5.7 releases also include bug
fixes to those platforms.)
- DSpace 6.1
- Release Notes:
https://wiki.duraspace.org/display/DSDOC6x/Release+Notes
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-6.1
- DSpace 5.7
- Release Notes:
https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-5.7
- DSpace 4.8
- Release Notes:
https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
- Download: https://github.com/DSpace/DSpace/releases/tag/dspace-4.8
General vulnerabilities affecting both JSPUI and XMLUI:
- *[HIGH SEVERITY] Basic (Traditional) Workflow approval process is
vulnerable to unauthorized manipulations. *(
https://jira.duraspace.org/browse/DS-3647 - requires a JIRA account to
access.) This vulnerability could allow users with submit access to approve
any of their own submissions which require workflow approval. This
vulnerability affects *all prior versions* of DSpace. It was discovered
by Pascal Becker (The Library Code / TU Berlin).
- *[LOW SEVERITY] DSpace shipped with a version of Apache Commons
Configuration that was vulnerable to COLLECTIONS-580 (Deserialization
Vulnerability).* (https://jira.duraspace.org/browse/DS-3520 - requires
a JIRA account to access.) However, there is currently no known way to
exploit this vulnerability in DSpace itself. This vulnerability only
affects DSpace 5.x and below. It was discovered by Alan Orth.
- *[LOW SEVERITY] DSpace failed to check if policies had valid dates
when checking access permissions. *(
https://jira.duraspace.org/browse/DS-3619 - requires a JIRA account to
access.) However, there is currently no known way to exploit this
vulnerability in DSpace itself. This vulnerability only affects DSpace 6.x.
It was discovered by Pascal Becker (The Library Code / TU Berlin).
Additional REST API Vulnerabilities:
- *[HIGH SEVERITY] A user with submit permissions can bypass workflow
approvals by depositing via REST API. *(
https://jira.duraspace.org/browse/DS-3281 - requires a JIRA account to
access.) This vulnerability only affects the DSpace 5.x and 6.x REST API.
It was discovered by Emilio Lorenzo.
- *[LOW SEVERITY] The "find-by-metadata" path publicly exposes metadata
from access-restricted items. *(https://jira.duraspace.org/browse/DS-3628 -
requires a JIRA account to access.) This vulnerability only affects the
DSpace 6.x REST API. It was reported by Bram Luyten (Atmire).
As these vulnerabilities are now considered "public", questions may be
asked on our DSpace Tech Support mailing list (
https://groups.google.com/forum/#!forum/dspace-tech) or on the tickets
themselves. As noted above, each of the tickets requires a DuraSpace JIRA
account to access at this time. If you do not yet have an account, you may
request one by emailing [email protected].
We also welcome private security reports, concerns or questions via our
security contact address ([email protected]).
Sincerely,
Tim Donohue (on behalf of the DSpace Committers)
--
Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org
--
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
