Re: [thredds] Spring4Shell in THREDDS

• To: "Mouchyn, Chris" <mouchyn@xxxxxxxx>
• Subject: Re: [thredds] Spring4Shell in THREDDS
• From: Ana Espinoza <respinoza@xxxxxxxx>
• Date: Tue, 28 Mar 2023 16:40:56 -0600

Hey all,

Please update your thredds-docker images to `unidata/thredds-docker:5.4`.
You can find the available tags here:
https://hub.docker.com/r/unidata/thredds-docker/tags

If you encounter any issues while doing so, please email
support-gateway@xxxxxxxxxxxxxxxx for docker specific assistance or
support-thredds@xxxxxxxxxxxxxxxx for more general THREDDS assistance.

Thank you,

Ana Espinoza (she/her)

*Software Engineer II -- Science Gateway*
*Unidata*


On Tue, Mar 28, 2023 at 4:13 PM Mouchyn, Chris via thredds <
thredds@xxxxxxxxxxxxxxxx> wrote:

> Howdy,
>
> Our campus vulnerability scanners indicate that the latest docker image
> for THREDDS is vulnerable to the Spring4Shell exploit.
>
> https://tenable.com/plugins/nessus/159542
>
> The listed solution is: Upgrade to Spring Framework version 5.2.20 or
> 5.3.18 or later.
>
> Is there an ETA on this update for THREDDS?
>
> Thanks,
>
> Chris Mouchyn | Linux Infrastructure
> Technology Services – Arts & Sciences
> Texas A&M University
> 1355 TAMU | College Station, TX 77843-1355
> mouchyn@xxxxxxxx
> - - - - - - - - - - - - - - - - - - - - - - - -
> it.tamu.edu/artscience
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web.  Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe,  visit:
> https://www.unidata.ucar.edu/mailing_lists/
>

• References:
  • [thredds] Spring4Shell in THREDDS
    • From: Mouchyn, Chris