Hi, We have 2 DSpace repositories – our main IR, which is DSpace v6.2, and a Data repository, which is DSpace v5.2 (yes, I know, both well out of support and neither is the latest version on their respective branches!) – both using the JSP UI – both are (very) heavily customised, which makes upgrades hard (so can’t just pop on the latest v6 or v5 releases) . . .
A colleague from our infrastructure team has contacted me as their vulnerability scanning software has identified issues with SOLR (on both systems), and he has asked me if it possible to upgrade SOLR on those servers to (hopefully!) eradicate the identified vulnerabilities. This is the list he sent me: Apache Solr: CVE-2017-3164: SSRF issue in Apache Solr Apache Solr: CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler Apache Solr: CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0 Apache Solr: CVE-2020-13941: Apache Solr information disclosure vulnerability Apache Solr: CVE-2021-27905: SSRF vulnerability with the Replication handler Apache Solr: CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings Apache Solr: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections Does anyone know if DSpace v6.2 and/or v5.2 are vulnerable to any of these, or know where I can look to find out – I tried searching the DSpace documentation/release notes/mailing list but didn’t find any mention of any of these, but I could just not be looking in the right place! (or maybe that means DSpace is not vulnerable?) . . . And, if any of these vulnerabilities are exploitable in either version v6.2 or v5.2, does anyone know any way to resolve the issues in a “light touch” way (i.e. without doing a full upgrade) – e.g. “just” change the version number(s) in the (SOLR) POM, or apply this or that patch/diff (to update bits of DSpace that are affected) . . . ? Of course, the upgrade to v7 (or even v8!) is still on my to do list, but it’s still a way down the road due to other priorities, so I need to patch/fudge my way round this for the time being (assuming any of these are an issue of course!) . . . Any information, pointers, or suggestions that anyone may have would be very welcome. Cheers, Mike Michael White Senior Developer Product Development Information Services University of Stirling Stirling FK9 4LA Tel: +44 (0) 1786 466877 Email: michael.wh...@stir.ac.uk<mailto:michael.wh...@stir.ac.uk> Web: Information Services<https://www.stir.ac.uk/about/professional-services/information-services-and-library/> My normal working hours are: Mon-Fri, 8.30-4.30 [Facebook icon]<https://www.facebook.com/stirlinglibrary/> [X icon] <https://x.com/isstirling> [Instagram icon] <https://www.instagram.com/universityofstirling/> [Youtbue icon] <https://www.youtube.com/user/UniversityOfStirling> [Banner]<https://www.stir.ac.uk/> [cid:image006.png@01DA8C0C.4A199E20] ________________________________ Scotland’s University for Sporting Excellence The University of Stirling is a charity registered in Scotland, number SC 011159 -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DBBPR03MB703513D52D9296DEFD5BCE15D4052%40DBBPR03MB7035.eurprd03.prod.outlook.com.
