[thredds] [IMPORTANT:cve-2022-22965] Upgrade TDS 5 to latest ASAP

To: thredds@xxxxxxxxxxxxxxxx
Subject: [thredds] [IMPORTANT:cve-2022-22965] Upgrade TDS 5 to latest ASAP
From: Hailey Johnson <hajohns@xxxxxxxx>
Date: Fri, 1 Apr 2022 14:54:27 -0700

THREDDS users,

As stated in our last announcement, all releases of TDS 5 prior to
yesterday’s TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework
library Spring4Shell exploit (cve-2022-22965
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>).

We are aware of active hacking attempts against Internet-based unpatched
TDS servers, with one reported successful attempt in the community.  Such
attempts occurred as early as Wednesday March 30 before Spring
officially announced
the existence of the vulnerability.
<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted>


If you haven't done so already, we strongly encourage 5.x users to upgrade
to the latest snapshot immediately: https://downloads.unidata.ucar.edu/tds/

We recommend users who have run an unpatched version TDS 5 perform the
following steps to determine if someone has attempted to exploit this
vulnerability:


   -

   Look for new subdirectories and jsp files in the tomcat webapps/
   directory.
   -

   Examine any place in your file system the tomcat user has access/write
   permissions for anomalies (new files, changes to files, deletion of files.)
   -

   Check your access log files and look for dubious requests (specifically
   POST requests) and pay attention to the server response codes of such
   requests.


If you note any of the above, please contact your systems administrator and
local IT security team.

We also would like to remind everyone of steps to take that may help
mitigate application security risks:


   -

   We remind everyone to run their tomcat server as an underprivileged user
   and NOT the root/super user.
   -

   Please make sure the tomcat user has read-only permission to the
   contents of the conf/, bin/, and lib/ directories in $TOMCAT_HOME.
   -

   Limit the tomcat user’s access and permissions to only the needed
   directories and files.
   -

   Uninstall all non-essential web applications in the webapps/ directory,
   including the applications that come with tomcat.


We will continue to monitor the situation and will share pertinent
information as it becomes available.   If you have any questions or
concerns, please contact support-thredds@xxxxxxxxxxxxxxxx.

Best,

The THREDDS development team


-- 
Hailey Johnson (she/her)
Software Engineer | THREDDS Developer
Unidata | UCAR Community Programs (UCP)

2022 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: