<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1370955380;
mso-list-type:hybrid;
mso-list-template-ids:-371920556 201981953 201981955 201981957 201981953 201981955 201981957 201981953 201981955 201981957;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1498688152;
mso-list-type:hybrid;
mso-list-template-ids:-1467026366 -40739068 67502083 67502085 67502081 67502083 67502085 67502081 67502083 67502085;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.4pt;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:56.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:92.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:128.4pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:164.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:200.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:236.4pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:272.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:308.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="DA" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Yes Spring 5.3.3 is affected BUT only vulnerable if both these conditions is fulfilled at the same time<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:20.4pt;text-indent:-18.0pt;mso-list:l1 level1 lfo3">
<![if !supportLists]><span lang="EN-US" style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Running Java 9 or higher<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:20.4pt;text-indent:-18.0pt;mso-list:l1 level1 lfo3">
<![if !supportLists]><span lang="EN-US" style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Application deployed in a Tomcat application server (through a .war-file)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">And in practice also primarily vulnerable if exposed to the Internet (to do the exploit)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Neither condition is present in the Danish Installation – but you could off cause build and package the applications into a war-file and run these under Tomcat using Java 9 or higher – and in that
case you should consider your installation. The quickest fix would be to upgrade your Tomcat-installation with the newest builds of that, which removes the exploit.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I would expect the Spring Library to be upgraded I a future release of NetarchiveSuite.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Best<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Bjarne Andersen<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="mso-fareast-language:DA">From:</span></b><span style="mso-fareast-language:DA"> NetarchiveSuite-users <netarchivesuite-users-bounces@ml.sbforge.org>
<b>On Behalf Of </b>Soleto Ruiz de Clavijo, Miguel<br>
<b>Sent:</b> Tuesday, April 12, 2022 1:39 PM<br>
<b>To:</b> 'netarchivesuite-users@ml.sbforge.org' <netarchivesuite-users@ml.sbforge.org>; 'netarchivesuite-users-bounces@ml.sbforge.org' <netarchivesuite-users-bounces@ml.sbforge.org><br>
<b>Cc:</b> García Arratia, Juan Carlos <juancarlos.garcia@bne.es>; Monzón, Fernando <f.monzon@bne.es>; Cerdán Medina, José Carlos <josec.cerdan@bne.es><br>
<b>Subject:</b> [Netarchivesuite-users] Spring4Shell Vulnerability<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="ES">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES">Here is a link about the vulnerability I told you in the meeting:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"><a href="https://securelist.com/spring4shell-cve-2022-22965/106239/">https://securelist.com/spring4shell-cve-2022-22965/106239/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ES">So, this affects to systems that use:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="ES" style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="ES">Java version >= 9<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="ES" style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="ES">Spring framework version from 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ES">We are using Java version 7 and 8 (PRO & PRE environments). I have seen that NAS 7.3 uses Spring version 5.3.3, so it could be affected.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ES">Best Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ES">Miguel.<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">
<hr size="3" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span lang="ES" style="font-size:7.5pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">Este mensaje y cualquier fichero adjunto están dirigidos únicamente a sus destinatarios y contiene información confidencial. Si usted ha
recibido este correo electrónico por error, le informamos que no puede realizar ninguna revisión, alteración, impresión, copia, transmisión, difusión ni utilización alguna de este mensaje ni de cualquier fichero adjunto que pudiese contener. La realización
de cualquiera de los actos indicados está expresamente prohibida por las Normas que regulan estas materias. Por todo ello se solicita que, en caso de existir error en la recepción de este mensaje, se lo notifique al remitente respondiendo a este e-mail y elimine
el mensaje y su contenido inmediatamente. La Biblioteca Nacional de España se reserva las acciones legales que le correspondan en el caso de que se infrinja lo indicado anteriormente.</span><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">
<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">
<hr size="3" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span lang="ES" style="font-size:7.5pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">The information in this e-mail and any attachments is confidential and it is intended for the addressee only. If you have received this
e-mail in error, you are notified that any revision, amendment, print, copy, disclosure, distribution or use of the contents is unauthorized. Carrying out any of the above actions, is expressly banned by rules governing this matter. Hence we request that if
you are not the intended recipient, please notify the sender answering this e-mail, and delete the message and any attachments. The National Library of Spain reserves itself the right to take the appropriate legal actions in the event of the above mentioned
matter is being infringed.</span><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">
<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DA">
<hr size="3" width="100%" align="center">
</span></div>
</div>
</body>
</html>