All releases of TDS 5 prior to the March 31, 2022 TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework library Spring4Shell exploit (cve-2022-22965).
We are aware of active hacking attempts against Internet-based unpatched TDS servers, with one reported successful attempt in the community. Such attempts occurred as early as Wednesday March 30 before Spring officially announced the existence of the vulnerability.
If you haven't done so already, we strongly encourage 5.x users to upgrade to the latest snapshot immediately: https://downloads.unidata.ucar.edu/tds/
We recommend users who have run an unpatched version TDS 5 perform the following steps to determine if someone has attempted to exploit this vulnerability:
- Look for new subdirectories and
jsp
files in the Tomcatwebapps/
directory. - Examine any place in your file system the Tomcat user has access/write permissions for anomalies (new files, changes to files, deletion of files.)
- Check your access log files and look for dubious requests (specifically
POST
requests) and pay attention to the server response codes of such requests.
If you note any of the above, please contact your systems administrator and local IT security team.
We also would like to remind everyone of steps to take that may help mitigate application security risks:
- We remind everyone to run their Tomcat server as an underprivileged user and NOT the root/super user.
- Please make sure the Tomcat user has read-only permission to the contents of the
conf/
,bin/
, andlib/
directories in$TOMCAT_HOME
. - Limit the Tomcat user’s access and permissions to only the needed directories and files.
- Uninstall all non-essential web applications in the
webapps/
directory, including the applications that come with Tomcat.
We will continue to monitor the situation and will share pertinent information as it becomes available. If you have any questions or concerns, please contact support-thredds@unidata.ucar.edu.
Best, The THREDDS development team
Posted by David on April 20, 2022 at 07:33 AM MDT #
Posted by Hailey Johnson on April 21, 2022 at 05:20 AM MDT #