Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability with postgresql driver #174

Open
JessyBarrette opened this issue Feb 21, 2024 · 7 comments
Open

Vulnerability with postgresql driver #174

JessyBarrette opened this issue Feb 21, 2024 · 7 comments

Comments

@JessyBarrette
Copy link
Collaborator

JessyBarrette commented Feb 21, 2024
edited
Loading

We would need to fix this. Perhaps this will be fixed within the erddap-docker container prior to us


A critical vulnerability has been identified in the Postgresql JDBC driver.  If you are using Postgresql with ERDDAP,  please update as soon as possible and let us know if it causes any problems.  In the instructions it points to:

> https://mvnrepository.com/artifact/org.postgresql/postgresql

as one place to get the driver.  The instructions on where to put the JDBC driver and other settings are:

> JDBC Driver and <driverName> -- You must get the appropriate JDBC 3 or JDBC 4 driver .jar file for your database and
> put it in tomcat/webapps/erddap/WEB-INF/lib after you install ERDDAP. Then, in your datasets.xml for this dataset, you must specify the <driverName> for this driver, which is (unfortunately) different from the filename. Search on the web for the JDBC driver for your database and the driverName that Java needs to use it.
>
> After you put the JDBC driver .jar in ERDDAP lib directory, you need to add a reference to that .jar file in the .bat and/or .sh script files for GenerateDatasetsXml, DasDds, and ArchiveADataset which are in the tomcat/webapps/erddap/WEB-INF/ directory; otherwise, you'll get a ClassNotFoundException when you run those scripts.

Note that this update can be done without an update to the rest of ERDDAP,  but as always we recommend running  the latest version of ERDDAP  (presently 2.23).
@steviewanders
Copy link

Can you post the original text/document. Missing details and context.

@JessyBarrette
Copy link
Collaborator Author

JessyBarrette commented Feb 22, 2024
edited
Loading

This is coming from the ERDDAP google chat. Here's the thread
https://groups.google.com/g/erddap/c/HrqztnJEBBc/m/P_3vdxkyAwAJ?utm_medium=email&utm_source=footer

@JessyBarrette
Copy link
Collaborator Author

FIY this is also where all the historical discussions regarding ERDDAP lives. Some of it is now living within the ERDDAP GitHub Repository.

@JessyBarrette
Copy link
Collaborator Author

Seems straightforward to manage our side by mounting the driver within the containers either via docker-compose for the present main/dev branch or Dockerfile for caprover-deploy

This is only affecting the Hakai ERDDAP which pointing to the Hakai PostgreSQL database.

@steviewanders
Copy link

This is coming from the ERDDAP google chat. Here's the thread https://groups.google.com/g/erddap/c/HrqztnJEBBc/m/P_3vdxkyAwAJ?utm_medium=email&utm_source=footer

This also does not link to or mention what the actual vulnerability is or a CVE?

@steviewanders
Copy link

GHSA-v7wg-cpwc-24m4

@steviewanders
Copy link

steviewanders commented Feb 27, 2024
edited
Loading

Basically only an issue if you expose the Postgresql connection string, which we do not.

So can be fixed as part of a normal upgrade process, whatever we decide that is.

@JessyBarrette Can you link to the commit to the Dockerfile that is being deployed here when you upgrade it please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JessyBarrette @steviewanders