Hello THREDDS users,
As some of you may already be aware, an RCE vulnerability was recently
reported for the Spring Framework library (cve-2022-22965
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>). You can
read Spring's statement here
<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>.
A Spring Framework patch release was made available this morning.
We've published a new snapshot of the TDS 5 that uses the patched version
(5.3.18), and it is now available on the Unidata downloads page
<https://downloads.unidata.ucar.edu/tds/>. *All previous releases of TDS
5.x are vulnerable to this exploit. *We strongly encourage 5.x users to
upgrade to the latest snapshot.
To our knowledge, no releases of TDS 4.6.x are vulnerable due to its older
JDK dependency (JDK 8).
*Updates on upcoming releases:*
We will be publishing an official release of TDS 5.4 shortly, and apologize
that it has taken longer than expected to do so. The 5.4 release will
contain a large number of bug fixes, particularly to the
NetcdfSubsetService and S3 support.
best,
The THREDDS development team
--
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)
