All, The DSpace 7.2.1 release of the backend is also now available. This is a quick upgrade for any sites already running 7.2.
https://github.com/DSpace/DSpace/releases/tag/dspace-7.2.1 For the latest information on how to protect your site against Spring4Shell (CVE-2022-22965), see the list of options detailed in this PR: https://github.com/DSpace/DSpace/pull/8231 This includes listing options for anyone running 7.0 or 7.1. (Again, sites running DSpace 6.x, 5.x, 4.x or other older releases are not impacted by the vulnerability) If there are any further questions, let us know on this list. Tim ________________________________ From: Tim Donohue <tim.dono...@lyrasis.org> Sent: Friday, April 1, 2022 9:33 AM To: DSpace Community <dspace-commun...@googlegroups.com>; DSpace Technical Support <dspace-t...@googlegroups.com>; DSpace Developers <dspace-devel@googlegroups.com> Subject: NOTICE: DSpace 7 is impacted by new "Spring4Shell" zero-day vulnerability. Does not impact DSpace 6 or below. All, You may have heard or been notified about a new significant vulnerability in the Java Spring Framework nicknamed Spring4Shell (CVE-2022-22965): https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement DSpace 7 is impacted by this vulnerability provided that you are running the DSpace 7 backend on Apache Tomcat (which most likely are). DSpace 6.x or below (5.x, 4.x, etc) are NOT impacted, as those releases of DSpace all used Java/JDK 8 or below. This vulnerability only occurs when running on Java/JDK 9 or above. IMMEDIATE QUICK FIX OPTIONS * Patch your DSpace 7 backend by applying the changes in this small PR: https://github.com/DSpace/DSpace/pull/8231 This patch may be applied to an existing 7.2, 7.1 or 7.0 site. * NOTE: A DSpace 7.2.1 backend security release will be released later today (likely within the next 1-2 hours) with these same changes applied. A follow-up to this email will be sent when that release is available for download. * And/Or, upgrade to Apache Tomcat version 9.0.62 (or a later 9.x release). This version of Apache Tomcat provides protection against the attack. Therefore, if you upgrade Tomcat, your existing DSpace 7 site should be protected. Other common questions: * Is DSpace vulnerable to the separate Spring Cloud vulnerability CVE-2022-22963? No, it is not. No version of DSpace has ever used Spring Cloud. * If there are other questions, feel free to ask them on this list! Tim -- Tim Donohue (he/him) Technical Lead, DSpace tim.dono...@lyrasis.org Lyrasis.org<https://www.lyrasis.org/> | DSpace.org<http://dspace.org> [cid:b37945d1-2bbe-450c-80f6-031c8a2aa378] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-devel/PH0PR22MB3274BCBE7A0E728EBFED5F4BEDE09%40PH0PR22MB3274.namprd22.prod.outlook.com.