<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Mangal;
panose-1:0 0 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Oformaterad text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.E-postmall19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
span.E-postmall20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.E-postmall21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.E-postmall22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.E-postmall23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.OformateradtextChar
{mso-style-name:"Oformaterad text Char";
mso-style-priority:99;
mso-style-link:"Oformaterad text";
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1370955380;
mso-list-type:hybrid;
mso-list-template-ids:-371920556 201981953 201981955 201981957 201981953 201981955 201981957 201981953 201981955 201981957;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1498688152;
mso-list-type:hybrid;
mso-list-template-ids:-1467026366 -40739068 67502083 67502085 67502081 67502083 67502085 67502081 67502083 67502085;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.4pt;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:56.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:92.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:128.4pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:164.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:200.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:236.4pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:272.4pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:308.4pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="SV" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText"><span lang="EN-GB">Speaking about vulnerability and NAS: ViewerProxy uses an old version of Jetty:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-GB">Eclipse Jetty 6.1.26 reached end-of-life in 2010-11-30 and is no longer supported by the vendor.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">(Our security scanning discovered this.)<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-GB" style="color:#1F497D">-----<br>
Peter Svanberg<br>
</span><span lang="EN-GB" style="font-size:9.0pt;color:#1F497D;mso-fareast-language:SV"><br>
</span><span lang="EN-GB" style="font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:SV">National Library of Sweden</span><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:SV"><br>
</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#1F497D;mso-fareast-language:SV">Phone: +46 10 709
</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:SV">32 78</span><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:SV"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:65.2pt"><b><span style="mso-fareast-language:SV">Från:</span></b><span style="mso-fareast-language:SV"> NetarchiveSuite-users <netarchivesuite-users-bounces@ml.sbforge.org>
<b>För </b>Soleto Ruiz de Clavijo, Miguel<br>
<b>Skickat:</b> den 12 april 2022 13:50<br>
<b>Till:</b> netarchivesuite-users@ml.sbforge.org; 'netarchivesuite-users-bounces@ml.sbforge.org' <netarchivesuite-users-bounces@ml.sbforge.org><br>
<b>Kopia:</b> García Arratia, Juan Carlos <juancarlos.garcia@bne.es>; Monzón, Fernando <f.monzon@bne.es>; Cerdán Medina, José Carlos <josec.cerdan@bne.es><br>
<b>Ämne:</b> Re: [Netarchivesuite-users] Spring4Shell Vulnerability<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:65.2pt"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES" style="color:#1F497D">Yes, it must be the two conditions. Here, on BNE, we are not affected. I just wanted to share the link because maybe any other library could be affected.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES" style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES" style="color:#1F497D">Miguel.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:65.2pt"><b><span lang="ES" style="mso-fareast-language:ES">De:</span></b><span lang="ES" style="mso-fareast-language:ES"> NetarchiveSuite-users <<a href="mailto:netarchivesuite-users-bounces@ml.sbforge.org">netarchivesuite-users-bounces@ml.sbforge.org</a>>
<b>En nombre de </b>Bjarne Andersen<br>
<b>Enviado el:</b> martes, 12 de abril de 2022 13:45<br>
<b>Para:</b> <a href="mailto:netarchivesuite-users@ml.sbforge.org">netarchivesuite-users@ml.sbforge.org</a>; 'netarchivesuite-users-bounces@ml.sbforge.org' <<a href="mailto:netarchivesuite-users-bounces@ml.sbforge.org">netarchivesuite-users-bounces@ml.sbforge.org</a>><br>
<b>CC:</b> García Arratia, Juan Carlos <<a href="mailto:juancarlos.garcia@bne.es">juancarlos.garcia@bne.es</a>>; Monzón, Fernando <<a href="mailto:f.monzon@bne.es">f.monzon@bne.es</a>>; Cerdán Medina, José Carlos <<a href="mailto:josec.cerdan@bne.es">josec.cerdan@bne.es</a>><br>
<b>Asunto:</b> Re: [Netarchivesuite-users] Spring4Shell Vulnerability<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">Yes Spring 5.3.3 is affected BUT only vulnerable if both these conditions is fulfilled at the same time<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:85.6pt;text-indent:-18.0pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span lang="EN-US" style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Running Java 9 or higher<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:85.6pt;text-indent:-18.0pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span lang="EN-US" style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Application deployed in a Tomcat application server (through a .war-file)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">And in practice also primarily vulnerable if exposed to the Internet (to do the exploit)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">Neither condition is present in the Danish Installation – but you could off cause build and package the applications into a war-file and run these under Tomcat using Java
9 or higher – and in that case you should consider your installation. The quickest fix would be to upgrade your Tomcat-installation with the newest builds of that, which removes the exploit.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">I would expect the Spring Library to be upgraded I a future release of NetarchiveSuite.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">Best<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D">Bjarne Andersen<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:65.2pt"><b><span lang="DA" style="mso-fareast-language:DA">From:</span></b><span lang="DA" style="mso-fareast-language:DA"> NetarchiveSuite-users <<a href="mailto:netarchivesuite-users-bounces@ml.sbforge.org">netarchivesuite-users-bounces@ml.sbforge.org</a>>
<b>On Behalf Of </b>Soleto Ruiz de Clavijo, Miguel<br>
<b>Sent:</b> Tuesday, April 12, 2022 1:39 PM<br>
<b>To:</b> 'netarchivesuite-users@ml.sbforge.org' <<a href="mailto:netarchivesuite-users@ml.sbforge.org">netarchivesuite-users@ml.sbforge.org</a>>; 'netarchivesuite-users-bounces@ml.sbforge.org' <<a href="mailto:netarchivesuite-users-bounces@ml.sbforge.org">netarchivesuite-users-bounces@ml.sbforge.org</a>><br>
<b>Cc:</b> García Arratia, Juan Carlos <<a href="mailto:juancarlos.garcia@bne.es">juancarlos.garcia@bne.es</a>>; Monzón, Fernando <<a href="mailto:f.monzon@bne.es">f.monzon@bne.es</a>>; Cerdán Medina, José Carlos <<a href="mailto:josec.cerdan@bne.es">josec.cerdan@bne.es</a>><br>
<b>Subject:</b> [Netarchivesuite-users] Spring4Shell Vulnerability<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="DA"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">Hi,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">Here is a link about the vulnerability I told you in the meeting:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES"><a href="https://securelist.com/spring4shell-cve-2022-22965/106239/">https://securelist.com/spring4shell-cve-2022-22965/106239/</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">So, this affects to systems that use:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:101.2pt;text-indent:-18.0pt;mso-list:l0 level1 lfo4">
<![if !supportLists]><span lang="ES" style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="ES">Java version >= 9<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:101.2pt;text-indent:-18.0pt;mso-list:l0 level1 lfo4">
<![if !supportLists]><span lang="ES" style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="ES">Spring framework version from 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">We are using Java version 7 and 8 (PRO & PRE environments). I have seen that NAS 7.3 uses Spring version 5.3.3, so it could be affected.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">Best Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span lang="ES">Miguel.<o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="margin-left:65.2pt;text-align:center">
<span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:SV">
<hr size="3" width="100%" align="center">
</span></div>
</div>
</body>
</html>