[Netarchivesuite-users] Spring4Shell Vulnerability

Tue Apr 12 13:49:32 CEST 2022

Yes, it must be the two conditions. Here, on BNE, we are not affected. I just wanted to share the link because maybe any other library could be affected.

Regards,
Miguel.

De: NetarchiveSuite-users <netarchivesuite-users-bounces at ml.sbforge.org> En nombre de Bjarne Andersen
Enviado el: martes, 12 de abril de 2022 13:45
Para: netarchivesuite-users at ml.sbforge.org; 'netarchivesuite-users-bounces at ml.sbforge.org' <netarchivesuite-users-bounces at ml.sbforge.org>
CC: García Arratia, Juan Carlos <juancarlos.garcia at bne.es>; Monzón, Fernando <f.monzon at bne.es>; Cerdán Medina, José Carlos <josec.cerdan at bne.es>
Asunto: Re: [Netarchivesuite-users] Spring4Shell Vulnerability

Yes Spring 5.3.3 is affected BUT only vulnerable if both these conditions is fulfilled at the same time

-          Running Java 9 or higher

-          Application deployed in a Tomcat application server (through a .war-file)
And in practice also primarily vulnerable if exposed to the Internet (to do the exploit)

Neither condition is present in the Danish Installation - but you could off cause build and package the applications into a war-file and run these under Tomcat using Java 9 or higher - and in that case you should consider your installation. The quickest fix would be to upgrade your Tomcat-installation with the newest builds of that, which removes the exploit.

I would expect the Spring Library to be upgraded I a future release of NetarchiveSuite.

Best
Bjarne Andersen

From: NetarchiveSuite-users <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>> On Behalf Of Soleto Ruiz de Clavijo, Miguel
Sent: Tuesday, April 12, 2022 1:39 PM
To: 'netarchivesuite-users at ml.sbforge.org' <netarchivesuite-users at ml.sbforge.org<mailto:netarchivesuite-users at ml.sbforge.org>>; 'netarchivesuite-users-bounces at ml.sbforge.org' <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>>
Cc: García Arratia, Juan Carlos <juancarlos.garcia at bne.es<mailto:juancarlos.garcia at bne.es>>; Monzón, Fernando <f.monzon at bne.es<mailto:f.monzon at bne.es>>; Cerdán Medina, José Carlos <josec.cerdan at bne.es<mailto:josec.cerdan at bne.es>>
Subject: [Netarchivesuite-users] Spring4Shell Vulnerability

Hi,
Here is a link about the vulnerability I told you in the meeting:
https://securelist.com/spring4shell-cve-2022-22965/106239/

So, this affects to systems that use:

·         Java version >= 9

·         Spring framework version from 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19

We are using Java version 7 and 8 (PRO & PRE environments). I have seen that NAS 7.3 uses Spring version 5.3.3, so it could be affected.

Best Regards,
Miguel.
________________________________
Este mensaje y cualquier fichero adjunto están dirigidos únicamente a sus destinatarios y contiene información confidencial. Si usted ha recibido este correo electrónico por error, le informamos que no puede realizar ninguna revisión, alteración, impresión, copia, transmisión, difusión ni utilización alguna de este mensaje ni de cualquier fichero adjunto que pudiese contener. La realización de cualquiera de los actos indicados está expresamente prohibida por las Normas que regulan estas materias. Por todo ello se solicita que, en caso de existir error en la recepción de este mensaje, se lo notifique al remitente respondiendo a este e-mail y elimine el mensaje y su contenido inmediatamente. La Biblioteca Nacional de España se reserva las acciones legales que le correspondan en el caso de que se infrinja lo indicado anteriormente.
________________________________
The information in this e-mail and any attachments is confidential and it is intended for the addressee only. If you have received this e-mail in error, you are notified that any revision, amendment, print, copy, disclosure, distribution or use of the contents is unauthorized. Carrying out any of the above actions, is expressly banned by rules governing this matter. Hence we request that if you are not the intended recipient, please notify the sender answering this e-mail, and delete the message and any attachments. The National Library of Spain reserves itself the right to take the appropriate legal actions in the event of the above mentioned matter is being infringed.
________________________________
________________________________
Este mensaje y cualquier fichero adjunto están dirigidos únicamente a sus destinatarios y contiene información confidencial. Si usted ha recibido este correo electrónico por error, le informamos que no puede realizar ninguna revisión, alteración, impresión, copia, transmisión, difusión ni utilización alguna de este mensaje ni de cualquier fichero adjunto que pudiese contener. La realización de cualquiera de los actos indicados está expresamente prohibida por las Normas que regulan estas materias. Por todo ello se solicita que, en caso de existir error en la recepción de este mensaje, se lo notifique al remitente respondiendo a este e-mail y elimine el mensaje y su contenido inmediatamente. La Biblioteca Nacional de España se reserva las acciones legales que le correspondan en el caso de que se infrinja lo indicado anteriormente.
________________________________
The information in this e-mail and any attachments is confidential and it is intended for the addressee only. If you have received this e-mail in error, you are notified that any revision, amendment, print, copy, disclosure, distribution or use of the contents is unauthorized. Carrying out any of the above actions, is expressly banned by rules governing this matter. Hence we request that if you are not the intended recipient, please notify the sender answering this e-mail, and delete the message and any attachments. The National Library of Spain reserves itself the right to take the appropriate legal actions in the event of the above mentioned matter is being infringed.
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://ml.sbforge.org/pipermail/netarchivesuite-users/attachments/20220412/8ce944b1/attachment.html>