Versions Compared

Old Version 16

changes.mady.by.user Marcel Ververs

Saved on

compared with

New Version Current

changes.mady.by.user Camiel van Breugel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Updated: April 1st 2022

Statement

On March 29, 2022, a Chinese cybersecurity research firm leaked an attack that could impact most enterprise Java applications, globally. An investigation of the issue showed that the root cause was a vulnerability in the widely used, free, community-developed, open-source programming framework called Spring Core. On March 30 we learned through this from a security blog. The CVE is reserved under https://www.cve.org/CVERecord?id=CVE-2022-22965, but more details are available on https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcementand https://tanzu.vmware.com/security/cve-2022-22965 and many other locations.

Impact on: Delft-FEWS Admin Interface and Delft-FEWS Open Archive

Admin Interface: Impact is low/high

The Admin Interface (AI) is normally not exposed to 'the outside world'. Since the Admin Interface is within a company's network and on the application level protected by username/password credentials, the impact on the AI is assessed as low, but if the Admin Interface is open to the internet then the risk is high and immediate action is needed.   

Since a Spring4Shell update is available (version 5.3.18 and version 5.2.20) Deltares will create updates for the supported versions of the Admin Interface. A new version of the Admin Interface is available on request for the supported software versions. 

Archive Server - THREDDS component: Impact is low

The THREDDS component contains the Spring4Shell libraries. By default the archive server does not make use of forms to fill in data (which are vulnerable for attacks), however it is possible to configure the archive server to use these forms and then the application is vulnerable. To minimize the risk, please ensure that THREDDS is not open to 'the outside world'. 

...

For downloading the latest snapshot see here.

Detailed analysis Delft-FEWS components and Spring4Shell vulnerability CVE-2022-22965.

Initial analysis shows that the vulnerability applies only to spring libraries in combination with JDK9+. This means:

...

For more information how to obtain new distributions, please contact fews.support@deltares.nl

Update the Admin Interface (fewsadmin.war)

Follow the instructions on Update the AdminInterface. (wiki login required).

Update the THREDDS component 

The THREDDS component of the (Delft-FEWS) Open Archive has been updated to the latest version.  The latest THREDDS update has been included in our build packages and are available on request.  Please follow the instructions on update Open Archive wiki page (wiki login required).

...