The vulnerability centres on use of the StringSubstitutor from an unfiltered input.
It looks from the source that the function is used for substitutions derived from dspace configuration files. On an initial review, as long as these config files are well-governed dspace7 should be safe in the context of this vulnerability. On Thursday, October 20, 2022 at 7:51:26 PM UTC+11 [email protected] wrote: > Hi all, > There has been discovered a vulnerability affecting versions 1.5 to 1.9 of > Apache Commons Text: > https://nvd.nist.gov/vuln/detail/CVE-2022-42889 > > I've seen DSpace 7 uses the 1.9 version of this library: > https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850 > > It is recommended to update to 1.10, but I haven't tested it yet myself. > Just wanted to make sure everyone who is using DSpace 7 in production is > aware of this. > > Regards, > Oriol > > PS: Here are some more links about the vulnerability > > https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/ > > https://www.securityweek.com/critical-apache-commons-text-flaw-compared-log4shell-not-widespread > > https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ > > > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/0d1fcb02-4acb-4aaa-985c-54d8a847215en%40googlegroups.com.
