I would like to begin by saying that this internship has definitely been one of the top highlights of my Ph.D. journey. I spent most of my working hours implementing the idea of server-side virtual data processing. This means that data on the THREDDS Data Servers (TDS) could be virtually processed without actually modifying the data. As such, the data integrity would remain intact, but it could be optimized for ML/AI.
The NSF Unidata THREDDS development team released the THREDDS Data Server (TDS) version 5.5 on July 16th, 2024. This release contains a number of security upgrades to third party libraries, a variety of bug fixes, and several new features and improvements. It is recommended that all TDS users upgrade to this version.
During my internship, I worked with the Unidata THREDDS team. My intentions this summer were to learn Java, improve my coding skills, and have experience using it in real world applications. I began my journey by converting existing unit tests for the netCDF-Java library, which is tightly linked to the THREDDS Data Server (TDS) code, to the JUnit Java testing framework. Once I got this practice with Java and had a working development environment, I was able to start working on my summer project.
During the week of August 8, 2022, the Unidata Program Center plans to upgrade the THREDDS Data Server (TDS) hosted at https://thredds.ucar.edu to version 5.x of the server software.
The Unidata Program Center is hiring! We are looking for a scientific software developer to join our team in creating and maintaining software and data services to support the geosciences. Specifically, we are looking for a developer to join our open source efforts related to the suite of Thematic Real-time Environmental Distributed Data Services (THREDDS) projects.
All releases of TDS 5 prior to the March 31, 2022 TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework library Spring4Shell exploit [cve-2022-22965].
We are aware of active hacking attempts against Internet-based unpatched TDS servers, with one reported successful attempt in the community. Such attempts occurred as early as Wednesday March 30 before Spring officially announced the existence of the vulnerability.
If you haven't done so already, we strongly encourage 5.x users to upgrade to the latest snapshot immediately.
