Upgrade NOW: TDS 5.4-SNAPSHOT to address Spring4Shell CVE

All releases of TDS 5 prior to the March 31, 2022 TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework library Spring4Shell exploit (cve-2022-22965).

We are aware of active hacking attempts against Internet-based unpatched TDS servers, with one reported successful attempt in the community. Such attempts occurred as early as Wednesday March 30 before Spring officially announced the existence of the vulnerability.

If you haven't done so already, we strongly encourage 5.x users to upgrade to the latest snapshot immediately: https://downloads.unidata.ucar.edu/tds/

We recommend users who have run an unpatched version TDS 5 perform the following steps to determine if someone has attempted to exploit this vulnerability:

  • Look for new subdirectories and jsp files in the Tomcat webapps/ directory.
  • Examine any place in your file system the Tomcat user has access/write permissions for anomalies (new files, changes to files, deletion of files.)
  • Check your access log files and look for dubious requests (specifically POST requests) and pay attention to the server response codes of such requests.

If you note any of the above, please contact your systems administrator and local IT security team.

We also would like to remind everyone of steps to take that may help mitigate application security risks:

  • We remind everyone to run their Tomcat server as an underprivileged user and NOT the root/super user.
  • Please make sure the Tomcat user has read-only permission to the contents of the conf/, bin/, and lib/ directories in $TOMCAT_HOME.
  • Limit the Tomcat user’s access and permissions to only the needed directories and files.
  • Uninstall all non-essential web applications in the webapps/ directory, including the applications that come with Tomcat.

We will continue to monitor the situation and will share pertinent information as it becomes available. If you have any questions or concerns, please contact support-thredds@unidata.ucar.edu.

Best, The THREDDS development team

Comments:

Are 4.6.x versions of TDS affected?

Posted by David on April 20, 2022 at 01:33 PM MDT #

At this time, the Spring exploit is only vulnerable when using JDK9+. Since TDS 4.6.x is on Java 8, it is not affected.

Posted by Hailey Johnson on April 21, 2022 at 11:20 AM MDT #

Post a Comment:
Comments are closed for this entry.
News@Unidata
News and information from the Unidata Program Center
News@Unidata
News and information from the Unidata Program Center

Welcome

FAQs

Developers’ blog

Recent Entries:
Take a poll!

What if we had an ongoing user poll in here?

Browse By Topic
Browse by Topic
« March 2024
SunMonTueWedThuFriSat
     
2
3
5
7
8
9
10
11
12
13
14
15
16
17
18
19
21
22
23
24
26
27
29
30
31
      
Today