As long as you are not exposing the DSpace SOLR to the public web interface, the scope of this issue is limited. You should however at least take the upgrade to DSpace 6.4.
Edmund On Thursday, April 11, 2024 at 9:52:16 PM UTC+10 Michael White wrote: > Hi, > > > > We have 2 DSpace repositories – our main IR, which is DSpace v6.2, and a > Data repository, which is DSpace v5.2 (yes, I know, both well out of > support and neither is the latest version on their respective branches!) – > both using the JSP UI – both are (very) heavily customised, which makes > upgrades hard (so can’t just pop on the latest v6 or v5 releases) . . . > > > > A colleague from our infrastructure team has contacted me as their > vulnerability scanning software has identified issues with SOLR (on both > systems), and he has asked me if it possible to upgrade SOLR on those > servers to (hopefully!) eradicate the identified vulnerabilities. > > > > This is the list he sent me: > > > > Apache Solr: CVE-2017-3164: SSRF issue in Apache Solr > > Apache Solr: CVE-2019-0193: Apache Solr, Remote Code Execution via > DataImportHandler > > Apache Solr: CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0 > > Apache Solr: CVE-2020-13941: Apache Solr information disclosure > vulnerability > > Apache Solr: CVE-2021-27905: SSRF vulnerability with the Replication > handler > > Apache Solr: CVE-2021-29262: Misapplied Zookeeper ACLs can result in > leakage of configured authentication and authorization settings > > Apache Solr: CVE-2021-29943: Apache Solr Unprivileged users may be able to > perform unauthorized read/write to collections > > > > Does anyone know if DSpace v6.2 and/or v5.2 are vulnerable to any of > these, or know where I can look to find out – I tried searching the DSpace > documentation/release notes/mailing list but didn’t find any mention of any > of these, but I could just not be looking in the right place! (or maybe > that means DSpace is not vulnerable?) . . . > > > > And, if any of these vulnerabilities are exploitable in either version > v6.2 or v5.2, does anyone know any way to resolve the issues in a “light > touch” way (i.e. without doing a full upgrade) – e.g. “just” change the > version number(s) in the (SOLR) POM, or apply this or that patch/diff (to > update bits of DSpace that are affected) . . . ? > > > > Of course, the upgrade to v7 (or even v8!) is still on my to do list, but > it’s still a way down the road due to other priorities, so I need to > patch/fudge my way round this for the time being (assuming any of these are > an issue of course!) . . . > > > > Any information, pointers, or suggestions that anyone may have would be > very welcome. > > > > Cheers, > > > > Mike > > > > > > *Michael White Senior Developer Product Development* > > > *Information Services *University of Stirling > Stirling > FK9 4LA > > Tel: +44 (0) 1786 466877 <+44%201786%20466877> > Email: michael.wh...@stir.ac.uk > Web: Information Services > <https://www.stir.ac.uk/about/professional-services/information-services-and-library/> > > > > My normal working hours are: Mon-Fri, 8.30-4.30 > > [image: Facebook icon] <https://www.facebook.com/stirlinglibrary/> [image: > X icon] <https://x.com/isstirling> [image: Instagram icon] > <https://www.instagram.com/universityofstirling/> [image: Youtbue icon] > <https://www.youtube.com/user/UniversityOfStirling> > > [image: Banner] <https://www.stir.ac.uk/> > > > > > ------------------------------ > Scotland’s University for Sporting Excellence > The University of Stirling is a charity registered in Scotland, number SC > 011159 > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/e3ef57aa-13e4-4c36-8c5a-9b1075aef40en%40googlegroups.com.
