The DSpace technical team has circulated the following security advise.
In recent weeks, several security vulnerabilities where discovered in the XMLUI and JSPUI of DSpace 3.x, 4.x and 5.x sites. Some of these vulnerabilities also affect DSpace 1.x.x sites. While these security vulnerabilities vary in severity (see below), WE RECOMMEND ALL DSPACE USERS CONSIDER UPGRADING TO EITHER DSPACE 3.4, 4.3 OR 5.1 to ensure your site is secure. Please note that the DSpace 5.1 release also includes several minor bug fixes to the 5.x platform.
- DSpace 5.1 Release Notes: https://wiki.duraspace.org/display/DSDOC5x/Release+Notes
- DSpace 4.3 Release Notes: https://wiki.duraspace.org/display/DSDOC4x/Release+Notes
- DSpace 3.4 Release Notes: https://wiki.duraspace.org/display/DSPACE/DSpace+Release+3.4+Notes
Where possible, WE ALSO RECOMMEND IMMEDIATELY REMOVING ANY "allowLinking=true" SETTINGS from your Tomcat <Context> configuration. Previously our DSpace installation documentation erroneously listed examples which included "allowLinking=true", while the Tomcat documentation details it as a possible security concern . The XMLUI Directory Traversal Vulnerability (see below) is also exacerbated by having "allowLinking=true" enabled.
NOTICE FOR DSPACE 1.x.x USERS- Per our DSpace Software Support Policy , all DSpace 1.x.x versions are now "End-Of-Life" (EOL). This includes versions 1.8.3 and below. As such, we will not be releasing any further 1.x.x versions (even though several of these vulnerabilities do exist in 1.x.x versions). We recommend either manually patching your instances or upgrading. If you are considering an upgrade from DSpace 1.x.x, note that, as of DSpace 5, your existing data (i.e. database contents, search/browse indexes) will now be automatically upgraded from ANY prior version of DSpace (1.x.x, 3.x or 4.x). Therefore, you may wish to consider upgrading directly to DSpace 5.1, as the 5.x upgrade process is simplified.
Summary of XMLUI Vulnerabilities:
[HIGH SEVERITY] XMLUI Directory Traversal Vulnerabilities: These vulnerabilities allows someone to potentially access any file on your local filesystem which is readable to the Tomcat user account. This includes files which are unrelated to DSpace or Tomcat, but are readable to all users on the filesystem (e.g. on Linux this includes /etc/passwd, /etc/hosts, etc). This also includes Tomcat configuration files (which may or may not contain passwords). These vulnerabilities have existed since DSpace 1.5.2. The initial vulnerability was discovered by Khalil Shreateh, with additional (related) vulnerabilities discovered by the Committer Team.
In some configurations of Tomcat, simply removing any "allowLinking=true" settings from your Tomcat's <Context> configuration will limit the directory traversal vulnerability's severity to only allow access to files within the XMLUI web application directory.
More information (and a patch) is available at https://jira.duraspace.org/browse/DS-2445 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)
Summary of JSPUI Vulnerabilities
[MEDIUM SEVERITY] JSPUI Directory Traversal Vulnerability: This vulnerability allows someone to potentially access any file within the JSPUI web application directory (e.g. WEB-INF/web.xml). This vulnerability is believed to have existed in all prior versions of DSpace, and was discovered by Khalil Shreateh.
More information (and a patch) is available at https://jira.duraspace.org/browse/DS-2448 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)
More information is available at https://jira.duraspace.org/browse/DS-1702 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)
More information is available at https://jira.duraspace.org/browse/DS-2044 (Requires a DuraSpace JIRA account to access for two weeks, and then will be publicly available)
If you or your institution have any further questions about these vulnerabilities, please feel free to email the DSpace Tech Support mailing list ([email protected]).