CVE-2022-22965 fixes for 7.0, 7.1 or 7.2 backend (Bump Spring from 5.2.5 to 5.2.20) #8231
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
DSpace 7 is impacted by the Spring4Shell vulnerability (CVE-2022-22965) provided that you are running the DSpace 7 backend on Apache Tomcat (which most likely are). See also https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
The fix for this vulnerability is in this PR, which upgrades Spring from 5.2.5 to 5.2.20 to avoid CVE-2022-22965.
You have several options below in patching your DSpace 7 site (each of which is documented below). CHOOSE ONE.
Upgrade 7.2 backend to 7.2.1
This fix is available in the backend version 7.2.1: https://github.com/DSpace/DSpace/releases/tag/dspace-7.2.1 If you are already on DSpace 7.2, the quickest fix may be to simply upgrade your backend to 7.2.1.
mvn -U clean package
cd [dspace-source]/dspace/target/dspace-installer
ant update
server
webapp over into Tomcat)NOTE: If you are not already running DSpace 7.2, you will need to upgrade to DSpace 7.2 first before you can use the 7.2.1 release of the backend. So, if you are running 7.1 or 7.0, one of the fixes below may be easiest.
Patch / Quick Fix for 7.0, 7.1 or 7.2
This PR is a valid quick-fix of CVE-2022-22965 for either a 7.0, 7.1 or 7.2 backend.
pom.xml
(i.e. the one in the top-level source folder), or cherry-pick the commit. These same changes will work for either 7.0, 7.1 or 7.2.mvn -U clean package
cd [dspace-source]/dspace/target/dspace-installer
ant update
server
webapp over into Tomcat)(NOTE: This PR should never need to be applied to
main
as it will be rendered obsolete by #8215, which will fix this issue for the upcoming 7.3 release.)Workarounds / Alternative Fixes
Doesn't affect 6.x or earlier
This PR will not be backported to 6.x or earlier releases, as CVE-2022-22965 does not appear to affect those releases. DSpace 6.x and earlier releases could not be run on Java 9 or later, and this vulnerability has been documented to only affect applications running on Java 9 or later.