Showing entries tagged [patch]

XSS Vulnerability for TDS <= 5.5

13 August 2024

An XSS vulnerability has been brought to our attention and fixed. This vulnerability only affects the DAP4 service for versions <= 5.5. We strongly recommend that you either:

1. Disable DAP4 services
2. or upgrade to the latest 5.6-SNAPSHOT version. This can be downloaded here. Please note that this newest snapshot now requires JDK 17. Additional JVM arguments are needed, which are in the CHRONICLE_CACHE variable here.

If you have any questions or concerns, please contact support-thredds@unidata.ucar.edu.

Best, The THREDDS development team.

Posted by Tara Drwenski
Filed under:

Upgrade NOW: TDS 5.4-SNAPSHOT to address Spring4Shell CVE

04 April 2022

All releases of TDS 5 prior to the March 31, 2022 TDS 5.4-SNAPSHOT release are vulnerable to the Spring Framework library Spring4Shell exploit [cve-2022-22965].

We are aware of active hacking attempts against Internet-based unpatched TDS servers, with one reported successful attempt in the community. Such attempts occurred as early as Wednesday March 30 before Spring officially announced the existence of the vulnerability.

If you haven't done so already, we strongly encourage 5.x users to upgrade to the latest snapshot immediately.

[Read More]
Posted by admin [ Comments [2] ]
Filed under:
News@Unidata
News and information from the Unidata Program Center
News@Unidata
News and information from the Unidata Program Center

Welcome

FAQs

Developers’ blog

Take a poll!

What if we had an ongoing user poll in here?

Browse By Topic
Browse by Topic
« November 2024
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
       
Today