Re: [Archivesspace_Users_Group] Jetty out of date - critical vulnerability

[Christine Di Bella]

Hello everyone,

Our policy for reporting security issues is at archivesspace/SECURITY.md at 
master * 
archivesspace/archivesspace
 . Given the sensitivity, we maintain security issues in a non-public JIRA. 
When you encounter issues locally, please do reach out to us at 
archivesspaceh...@lyrasis.org first so 
that we can discuss it with you.

We're currently investigating this issue. ArchivesSpace has many dependencies 
built into it, which can make upgrading individual pieces more complex than it 
might otherwise be. The timing for upgrades is always dependent on matching our 
available resources with the community's highest priorities, while taking care 
of infrastructure items and dependencies with the highest urgency as quickly as 
possible. Jetty is used in a relatively limited way in ArchivesSpace, as it is 
not the primary web server for most people using the application, which has, in 
the past, made upgrading it less time sensitive than it might otherwise be. We 
will review all new information, however, to determine if circumstances have 
changed. We'll have an update on this soon.

Christine

Christine Di Bella
ArchivesSpace Program Manager
christine.dibe...@lyrasis.org
800.999.8558 x2905
678-235-2905


[ASpaceOrgHomeMedium]





From: archivesspace_users_group-boun...@lyralists.lyrasis.org 
 On Behalf Of Shalvi, 
Doron (NIH/NLM) [C]
Sent: Monday, October 25, 2021 11:14 AM
To: archivesspace_users_group@lyralists.lyrasis.org
Subject: [Archivesspace_Users_Group] Jetty out of date - critical vulnerability

Hello,

I wanted to pass on to the community some critical security vulnerabilities 
that we recently found when scanning our ArchivesSpace instance.  These 
vulnerabilities allows authorization to be bypassed, due to the out of date 
version of Jetty delivered with the system.  I've written up these issues as a 
JIRA ticket at: https://archivesspace.atlassian.net/browse/ANW-1437, but also 
wanted to post about the issue here to allow for discussion.

We are hoping to soon open our ArchivesSpace instance to the general public.  
Our security team will not allow ArchivesSpace to be opened to the public while 
it has a critical security vulnerability.

We are running ArchivesSpace 2.8.1, which uses Jetty 8.1.5.  However, since all 
recent versions of ArchivesSpace use the same version of Jetty, I assume that 
all recent versions of ArchivesSpace are affected as well, including recent 
version 3.1.  Version 8 of Jetty is considered "venerable" (older even than 
deprecated), as noted at https://www.eclipse.org/jetty/download.php .  With 
this version of Jetty, NetSparker noted 2 critical issues, 3 high issues, 1 
medium issue, and 1 low issue.

These issues were found by NetSparker, which is one of the security tools we 
use for scanning.  Interestingly, this issue was found by NetSparker only a few 
weeks ago, and not in our previous NetSparker scans, even though our 
ArchivesSpace instance has not changed.  This implies that the issue was just 
recently added to NetSparker's vulnerability database, may become more 
well-known, and could present an issue to other organizations using 
ArchivesSpace as well.

I understand that ArchivesSpace does not heavily use Jetty, and does not serve 
any static content using Jetty.  However, Jetty can still be exploited even if 
it is behind an intermediary, such as Apache, as described in the links in the 
ticket.  We have spent a little bit of time attempting to upgrade Jetty on our 
own.  We were able to upgrade to Jetty 9.4, but this version is still 
vulnerable to the issues noted above.  We weren't able to upgrade to Jetty 10 
or 11, both of which require Java 11 - it looks like this may take some work.

Has anyone else observed these issue?  Would anyone have suggestions for 
remediation?

I think that the best approach would be to upgrade Jetty to version 10 or 11, 
in line with a move to Java 11.

Thanks for your thoughts and consideration!

Doron Shalvi
System Engineer
National Library of Medicine

___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

[Archivesspace_Users_Group] Jetty out of date - critical vulnerability

[Shalvi, Doron (NIH/NLM) [C]]

Hello,

I wanted to pass on to the community some critical security vulnerabilities 
that we recently found when scanning our ArchivesSpace instance.  These 
vulnerabilities allows authorization to be bypassed, due to the out of date 
version of Jetty delivered with the system.  I've written up these issues as a 
JIRA ticket at: https://archivesspace.atlassian.net/browse/ANW-1437, but also 
wanted to post about the issue here to allow for discussion.

We are hoping to soon open our ArchivesSpace instance to the general public.  
Our security team will not allow ArchivesSpace to be opened to the public while 
it has a critical security vulnerability.

We are running ArchivesSpace 2.8.1, which uses Jetty 8.1.5.  However, since all 
recent versions of ArchivesSpace use the same version of Jetty, I assume that 
all recent versions of ArchivesSpace are affected as well, including recent 
version 3.1.  Version 8 of Jetty is considered "venerable" (older even than 
deprecated), as noted at https://www.eclipse.org/jetty/download.php .  With 
this version of Jetty, NetSparker noted 2 critical issues, 3 high issues, 1 
medium issue, and 1 low issue.

These issues were found by NetSparker, which is one of the security tools we 
use for scanning.  Interestingly, this issue was found by NetSparker only a few 
weeks ago, and not in our previous NetSparker scans, even though our 
ArchivesSpace instance has not changed.  This implies that the issue was just 
recently added to NetSparker's vulnerability database, may become more 
well-known, and could present an issue to other organizations using 
ArchivesSpace as well.

I understand that ArchivesSpace does not heavily use Jetty, and does not serve 
any static content using Jetty.  However, Jetty can still be exploited even if 
it is behind an intermediary, such as Apache, as described in the links in the 
ticket.  We have spent a little bit of time attempting to upgrade Jetty on our 
own.  We were able to upgrade to Jetty 9.4, but this version is still 
vulnerable to the issues noted above.  We weren't able to upgrade to Jetty 10 
or 11, both of which require Java 11 - it looks like this may take some work.

Has anyone else observed these issue?  Would anyone have suggestions for 
remediation?

I think that the best approach would be to upgrade Jetty to version 10 or 11, 
in line with a move to Java 11.

Thanks for your thoughts and consideration!

Doron Shalvi
System Engineer
National Library of Medicine

___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

[Archivesspace_Users_Group] Webinar Reminder: Making the Required Move to External Solr for ArchivesSpace

[Jessica Crouch]

Dear ArchivesSpace Users,


ArchivesSpace will be offering a webinar on making the required move to 
external Solr for new ArchivesSpace releases next Wednesday, November 3rd at 
2pm ET/11am PT.  In this webinar, members of the ArchivesSpace program team 
will provide background information about this necessary change and walk 
attendees through some considerations for downloading and installing Solr.



Webinar: Making the Required Move to External Solr for ArchivesSpace



When: November 3, 2021

Time: 2:00 p.m. – 3:00 p.m. ET (11:00 a.m. – 12:00 pm PT)

Where: Zoom



Registration: https://lyrasis.zoom.us/webinar/register/WN_81SNSMgFTnu6Gmcdf4lO3g



This webinar will be recorded and made available on the ArchivesSpace YouTube 
channel.



Webinar description:



ArchivesSpace uses Solr for its search platform. Due 
to necessary upgrades that require 
moving to external deployment of Solr for the application, beginning in late 
2021 deploying ArchivesSpace will require installing and configuring Solr. This 
change will not affect end users directly, but it will be a significant change 
for system administrators and others who deploy and manage ArchivesSpace.



In this webinar, members of the ArchivesSpace program team will provide some 
background information about this upcoming change to the way ArchivesSpace is 
deployed.  Team members will then walk attendees through considerations and 
logistics for downloading and installing Solr at their own institution.

An open discussion and Q will follow.



Who should attend:

Anyone who manages their own implementation of ArchivesSpace and anyone 
planning to upgrade to any version of ArchivesSpace after ArchivesSpace v3.1.x.



Please contact us at 
archivesspaceh...@lyrasis.org with any 
questions.

Jessica Dowd Crouch
Community Engagement Coordinator for ArchivesSpace
jessica.cro...@lyrasis.org



___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

Re: [Archivesspace_Users_Group] Reorder mode in 3.1.0

[Michelle Paquette]

Hi Nic,

Just replying to say we found this behavior in our test instance, which is
on 3.1.0. Blake filed a ticket: ANW-1435
 and a few of us have
added commentary. (Thanks to Valerie for the video.) Apologies if someone
already responded with similar info and I missed it.

Michelle

On Tue, Oct 26, 2021 at 11:44 AM Nic Stanton-Roark 
wrote:

> Hi all,
>
> Since upgrading to 3.1.0 I've noticed an issue with reorder mode. Records
> can be reordered and cut and paste, but when working with resources in a
> lower level of hierarchy, attempting to drag (or cut and paste) a resource
> kicks that resource up to the higher level. For example, moving the
> Dinners, Etc. file here to the General, 1945-1988 and selecting "Add items
> before" ends up with the record moved up to the series level.
>
> [image: image.png]
> [image: image.png]
>
> [image: image.png]
> The file can then be re-added to the series as a child as normal. Nothing
> is noted in the logs during this, and it has persisted through both soft
> and hard reindexing. Is this a known issue or is there an obvious type of
> cause to investigate?
>
> Thanks for any advice.
>
>
> *Nicholas Stanton-Roark*  |  Archivist  | Robert A. Nicholson University
> Library
> Anderson University  |  1100 E. Fifth St, Anderson, IN 46012
> (765) 641-4285 <%28765%29%20641%204285>  |  ndro...@anderson.edu
> ___
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group@lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group
>


-- 
Michelle Paquette
(she/her)
Metadata & Technical Services Archivist
Special Collections
Smith College
413-585-7029
mpaque...@smith.edu

For current library access and services details, see Library Services
During COVID-19
.
___
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group@lyralists.lyrasis.org
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group