[Netarchivesuite-users] Spring4Shell Vulnerability + ViewerProxy/Jetty

Tue Apr 12 17:08:56 CEST 2022

Speaking about vulnerability and NAS: ViewerProxy uses an old version of Jetty:

Eclipse Jetty 6.1.26 reached end-of-life in 2010-11-30 and is no longer supported by the vendor.

(Our security scanning discovered this.)
-----
Peter Svanberg

National Library of Sweden
Phone: +46 10 709 32 78

Från: NetarchiveSuite-users <netarchivesuite-users-bounces at ml.sbforge.org> För Soleto Ruiz de Clavijo, Miguel
Skickat: den 12 april 2022 13:50
Till: netarchivesuite-users at ml.sbforge.org; 'netarchivesuite-users-bounces at ml.sbforge.org' <netarchivesuite-users-bounces at ml.sbforge.org>
Kopia: García Arratia, Juan Carlos <juancarlos.garcia at bne.es>; Monzón, Fernando <f.monzon at bne.es>; Cerdán Medina, José Carlos <josec.cerdan at bne.es>
Ämne: Re: [Netarchivesuite-users] Spring4Shell Vulnerability

Yes, it must be the two conditions. Here, on BNE, we are not affected. I just wanted to share the link because maybe any other library could be affected.

Regards,
Miguel.

De: NetarchiveSuite-users <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>> En nombre de Bjarne Andersen
Enviado el: martes, 12 de abril de 2022 13:45
Para: netarchivesuite-users at ml.sbforge.org<mailto:netarchivesuite-users at ml.sbforge.org>; 'netarchivesuite-users-bounces at ml.sbforge.org' <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>>
CC: García Arratia, Juan Carlos <juancarlos.garcia at bne.es<mailto:juancarlos.garcia at bne.es>>; Monzón, Fernando <f.monzon at bne.es<mailto:f.monzon at bne.es>>; Cerdán Medina, José Carlos <josec.cerdan at bne.es<mailto:josec.cerdan at bne.es>>
Asunto: Re: [Netarchivesuite-users] Spring4Shell Vulnerability

Yes Spring 5.3.3 is affected BUT only vulnerable if both these conditions is fulfilled at the same time

-          Running Java 9 or higher

-          Application deployed in a Tomcat application server (through a .war-file)
And in practice also primarily vulnerable if exposed to the Internet (to do the exploit)

Neither condition is present in the Danish Installation - but you could off cause build and package the applications into a war-file and run these under Tomcat using Java 9 or higher - and in that case you should consider your installation. The quickest fix would be to upgrade your Tomcat-installation with the newest builds of that, which removes the exploit.

I would expect the Spring Library to be upgraded I a future release of NetarchiveSuite.

Best
Bjarne Andersen

From: NetarchiveSuite-users <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>> On Behalf Of Soleto Ruiz de Clavijo, Miguel
Sent: Tuesday, April 12, 2022 1:39 PM
To: 'netarchivesuite-users at ml.sbforge.org' <netarchivesuite-users at ml.sbforge.org<mailto:netarchivesuite-users at ml.sbforge.org>>; 'netarchivesuite-users-bounces at ml.sbforge.org' <netarchivesuite-users-bounces at ml.sbforge.org<mailto:netarchivesuite-users-bounces at ml.sbforge.org>>
Cc: García Arratia, Juan Carlos <juancarlos.garcia at bne.es<mailto:juancarlos.garcia at bne.es>>; Monzón, Fernando <f.monzon at bne.es<mailto:f.monzon at bne.es>>; Cerdán Medina, José Carlos <josec.cerdan at bne.es<mailto:josec.cerdan at bne.es>>
Subject: [Netarchivesuite-users] Spring4Shell Vulnerability

Hi,
Here is a link about the vulnerability I told you in the meeting:
https://securelist.com/spring4shell-cve-2022-22965/106239/

So, this affects to systems that use:

·       Java version >= 9

·       Spring framework version from 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19

We are using Java version 7 and 8 (PRO & PRE environments). I have seen that NAS 7.3 uses Spring version 5.3.3, so it could be affected.

Best Regards,
Miguel.
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://ml.sbforge.org/pipermail/netarchivesuite-users/attachments/20220412/9e0fbd8f/attachment-0001.html>