CVE-2022-22965 fixes for 7.0, 7.1 or 7.2 backend (Bump Spring from 5.2.5 to 5.2.20) #8231
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… of spring-context-support to avoid dependency convergence issues.
tdonohue
added
bug
high priority
dependencies
This was referenced Mar 31, 2022
|
NOTE: this will be fixed on |
tdonohue
changed the title
|
Closing this PR, as the fix has now been released in 7.2.1: https://github.com/DSpace/DSpace/releases/tag/dspace-7.2.1 Use the instructions above to upgrade your existing 7.x site. The fix for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
DSpace 7 is impacted by the Spring4Shell vulnerability (CVE-2022-22965) provided that you are running the DSpace 7 backend on Apache Tomcat (which most likely are). See also https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
The fix for this vulnerability is in this PR, which upgrades Spring from 5.2.5 to 5.2.20 to avoid CVE-2022-22965.
You have several options below in patching your DSpace 7 site (each of which is documented below). CHOOSE ONE.
Upgrade 7.2 backend to 7.2.1
This fix is available in the backend version 7.2.1: https://github.com/DSpace/DSpace/releases/tag/dspace-7.2.1 If you are already on DSpace 7.2, the quickest fix may be to simply upgrade your backend to 7.2.1.
mvn -U clean packagecd [dspace-source]/dspace/target/dspace-installerant updateserverwebapp over into Tomcat)NOTE: If you are not already running DSpace 7.2, you will need to upgrade to DSpace 7.2 first before you can use the 7.2.1 release of the backend. So, if you are running 7.1 or 7.0, one of the fixes below may be easiest.
Patch / Quick Fix for 7.0, 7.1 or 7.2
This PR is a valid quick-fix of CVE-2022-22965 for either a 7.0, 7.1 or 7.2 backend.
pom.xml(i.e. the one in the top-level source folder), or cherry-pick the commit. These same changes will work for either 7.0, 7.1 or 7.2.mvn -U clean packagecd [dspace-source]/dspace/target/dspace-installerant updateserverwebapp over into Tomcat)(NOTE: This PR should never need to be applied to
mainas it will be rendered obsolete by #8215, which will fix this issue for the upcoming 7.3 release.)Workarounds / Alternative Fixes
Doesn't affect 6.x or earlier
This PR will not be backported to 6.x or earlier releases, as CVE-2022-22965 does not appear to affect those releases. DSpace 6.x and earlier releases could not be run on Java 9 or later, and this vulnerability has been documented to only affect applications running on Java 9 or later.