Updated: April 1st 2022

Statement

On March 29, 2022, a Chinese cybersecurity research firm leaked an attack that could impact most enterprise Java applications, globally. An investigation of the issue showed that the root cause was a vulnerability in the widely used, free, community-developed, open-source programming framework called Spring Core. On March 30 we learned through this from a security blog. The CVE is reserved under https://www.cve.org/CVERecord?id=CVE-2022-22965, but more details are available on https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement and https://tanzu.vmware.com/security/cve-2022-22965 and many other locations.

Impact on: Delft-FEWS Admin Interface and Delft-FEWS Open Archive

Admin Interface: Impact is low/high

The Admin Interface (AI) is normally not exposed to 'the outside world'. Since the Admin Interface is within a company's network and on the application level protected by username/password credentials, the impact on the AI is assessed as low, but if the Admin Interface is open to the internet then the risk is high and immediate action is needed.   

Since a Spring4Shell update is available (version 5.3.18 and version 5.2.20) Deltares will create updates for the supported versions of the Admin Interface. A new version of the Admin Interface is available on request for the supported software versions. 

Archive Server - THREDDS component: Impact is low

The THREDDS component contains the Spring4Shell libraries. By default the archive server does not make use of forms to fill in data (which are vulnerable for attacks), however it is possible to configure the archive server to use these forms and then the application is vulnerable. To minimize the risk, please ensure that THREDDS is not open to 'the outside world'. 

More information on the latest THREDDS news can be found at https://www.unidata.ucar.edu/blogs/news/entry/upgrade-tds-5-to-latest. We are in the process of updating our software to this latest version.  

For downloading the latest snapshot see here.

Detailed analysis Delft-FEWS components and Spring4Shell vulnerability CVE-2022-22965.

Initial analysis shows that the vulnerability applies only to spring libraries in combination with JDK9+. This means:

• The Delft-FEWS Admin Interface in 2018.02 and later is affected. A patch will be made available.
• The Thredds.war contains Spring 4.3.30 components. Since this component runs with java 8,  we will further analyse whether this component is vulnerable.
• Other components are not vulnerable since they do not contain this spring library.

Remark: an updated distribution for Delft-FEWS AdminInterface 2018.02 and later will be made available a.s.a.p.

For more information how to obtain new distributions, please contact fews.support@deltares.nl

Update the Admin Interface (fewsadmin.war)

Follow the instructions on Update the AdminInterface. (wiki login required).

Update the THREDDS component 

The THREDDS component of the (Delft-FEWS) Open Archive has been updated to the latest version.  The latest THREDDS update has been included in our build packages and are available on request.  Please follow the instructions on update Open Archive wiki page (wiki login required).

Delft-FEWS Product Management