Hi Roland,
Thanks for the quick turn around. But now got 2 new NASA issues I hope you can help with.
One is with LAS/Thredds log4j, and the other is a Thredds Spring Framework issue.
#21987: Medium Vulnerability: Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE (156327, 156057)
Path : las.v8.6.16/WebContent/WEB-INF/lib/log4j-core-2.17.0.jar
Path : tomcat/webapps/thredds/WEB-INF/lib/log4j-core-2.17.0.jar
Path : tomcat/webapps/EarthSystemLAS/WEB-INF/lib/log4j-core-2.17.0.jar
Installed version : 2.17.0
Fixed version : 2.17.1
#23430: Medium Vulnerability: Spring Framework < 5.2.20 / 5.3.x < 5.3.17 DoS (CVE-2022-22950) (161949)
Path : tomcat/webapps/thredds/WEB-INF/lib/spring-core-4.3.30.RELEASE.jar
Installed version : 4.3.30.RELEASE
Fixed version : 5.2.20
Let me know if you can create a new version for us. Or let us know how we can upgrade to the new log4j & spring versions.
Thanks --Bryan
All,
You can pick up the new release (https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.18), but
the only change is the struts2-core jar. Replacing the jar file file in your LAS_HOME directory, then doing "ant clean; ant deploy" to install it will be the same as what's in the tar.
Hi Roland,
We got a new Struts vulnerability ticket from NASA.
#23037: High Vulnerability: Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062) (159667)
Path : /usr/local/tomcat/webapps/LAS/WEB-INF/lib/struts2-core-2.5.26.jar
Installed version : 2.5.26
Fixed version : 2.5.30
Let me know if you can create a new version for us. Or let us know how we upgrade to the new struts version.
--Bryan
Description: The version of Apache Struts installed on the remote host is prior to 2.5.30. It is, therefore, affected by a vulnerability as referenced in the S2-062 advisory.- The
fix issued for CVE-2020-17530 ( S2-061 ) was incomplete. Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can
lead to a Remote Code Execution and security degradation. (CVE-2021-31805)
Solution: Upgrade to Apache Struts version 2.5.30 or later. Alternatively, apply the workaround as referenced in in the vendor's security bulletin
See Also:
https://cwiki.apache.org/confluence/display/WW/S2-062
Bryan,
I built a tar file with the new library. I've tested it a bit. You can also just replace the library and recompile.
HI Roland,
NASA opened another security ticket on our LAS with regards to Struts, we have structs 2.5.25 but need to upgrade to struts 2.5.26
We have some custom content in webapps that would get wiped out by a “ant clean/deploy” operation, so we hesitate to rebuild.
If you can create a new version with the upgraded struts version, that might be best like you did for this release:
https://github.com/NOAA-PMEL/LAS/releases/tag/v8.6.10.
From Security: This needs to be resolved within 14 calendar days.
#19510: High Vulnerability: Apache Struts 2.x < 2.5.26 RCE (S2-061) (143599)
https://www.tenable.com/plugins/nessus/143599
Thanks again –Bryan
***************************************************************
Bryan Littlefield | Email :
bryanl.littlefield@xxxxxxxxxx
Science Systems and Applications, Inc. | (626)508-9403
***************************************************************
--
The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce
or the National Oceanic and Atmospheric Administration.
--
You can call or text me at: (425) 666-9624
The policy of the DOC and NOAA requires me to inform you that the opinions in this email are mine and do not necessarily represent the opinion or policy of the Department of Commerce
or the National Oceanic and Atmospheric Administration.