DSPACE SECURITY ADVISORY: New DSpace 5.1, 4.3 and 3.4 releases resolve security issues in XMLUI and JSPUI

The DSpace technical team has circulated the following security advise

In recent weeks, several security vulnerabilities where discovered in the XMLUI and JSPUI of DSpace 3.x, 4.x and 5.x sites. Some of these vulnerabilities also affect DSpace 1.x.x sites. While these security vulnerabilities vary in severity (see below), WE RECOMMEND ALL DSPACE USERS CONSIDER UPGRADING TO EITHER DSPACE 3.4, 4.3 OR 5.1 to ensure your site is secure. Please note that the DSpace 5.1 release also includes several minor bug fixes to the 5.x platform.

Where possible, WE ALSO RECOMMEND IMMEDIATELY REMOVING ANY "allowLinking=true" SETTINGS from your Tomcat <Context> configuration. Previously our DSpace installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation details it as a possible security concern [1]. The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by having "allowLinking=true" enabled.

NOTICE FOR DSPACE 1.x.x USERS- Per our DSpace Software Support Policy [2], all DSpace 1.x.x versions are now "End-Of-Life" (EOL). This includes versions 1.8.3 and below. As such, we will not be releasing any further 1.x.x versions (even though several of these vulnerabilities do exist in 1.x.x versions). We recommend either manually patching your instances or upgrading. If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace (1.x.x, 3.x or 4.x). Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.

Vulnerabilities Summary

Summary of XMLUI Vulnerabilities:

[HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities: These vulnerabilities allows someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. on Linux this includes /etc/passwd, /etc/hosts, etc). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2. The initial vulnerability was discovered by Khalil Shreateh, with additional (related) vulnerabilities discovered by the Committer Team.

In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory.

More information (and a patch) is available at https://jira.duraspace.org/browse/DS-2445 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)

Summary of JSPUI Vulnerabilities

[MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability: This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace, and was discovered by Khalil Shreateh.

More information (and a patch) is available at https://jira.duraspace.org/browse/DS-2448 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)

[LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings. This vulnerability could allow a depositor/submitter to embed dangerous Javascript code into the metadata of a new submission, thus causing that code to be run across other user accounts. However, this vulnerability is only possible by someone with privileges to add content to your DSpace site. This vulnerability has existed since DSpace 1.5.x, and was discovered by Jean-Paul Zhao (University of Toronto).

More information is available at https://jira.duraspace.org/browse/DS-1702 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)

[LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI Discovery search form: This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x. It was discovered on DSpace 4.x and 5.x by Gabriela Mircea (McMaster University) and Khalil Shreateh. It was discovered on DSpace 3.x by Ilyas Orak (Biznet Bilisim A.S.).

More information is available at https://jira.duraspace.org/browse/DS-2044 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)

If you or your institution have any further questions about these vulnerabilities, please feel free to email the DSpace Tech Support mailing list (dspace-tech@lists.sourceforge.net).


Add comment

Log in or register to post comments