NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
THREDDS users, As stated in our last announcement, all releases of TDS 5 prior to yesterday’s TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework library Spring4Shell exploit (cve-2022-22965 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>). We are aware of active hacking attempts against Internet-based unpatched TDS servers, with one reported successful attempt in the community. Such attempts occurred as early as Wednesday March 30 before Spring officially announced the existence of the vulnerability. <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted> If you haven't done so already, we strongly encourage 5.x users to upgrade to the latest snapshot immediately: https://downloads.unidata.ucar.edu/tds/ We recommend users who have run an unpatched version TDS 5 perform the following steps to determine if someone has attempted to exploit this vulnerability: - Look for new subdirectories and jsp files in the tomcat webapps/ directory. - Examine any place in your file system the tomcat user has access/write permissions for anomalies (new files, changes to files, deletion of files.) - Check your access log files and look for dubious requests (specifically POST requests) and pay attention to the server response codes of such requests. If you note any of the above, please contact your systems administrator and local IT security team. We also would like to remind everyone of steps to take that may help mitigate application security risks: - We remind everyone to run their tomcat server as an underprivileged user and NOT the root/super user. - Please make sure the tomcat user has read-only permission to the contents of the conf/, bin/, and lib/ directories in $TOMCAT_HOME. - Limit the tomcat user’s access and permissions to only the needed directories and files. - Uninstall all non-essential web applications in the webapps/ directory, including the applications that come with tomcat. We will continue to monitor the situation and will share pertinent information as it becomes available. If you have any questions or concerns, please contact support-thredds@xxxxxxxxxxxxxxxx. Best, The THREDDS development team -- Hailey Johnson (she/her) Software Engineer | THREDDS Developer Unidata | UCAR Community Programs (UCP)
thredds archives: