Re: [Extern] [dspace-tech] CVE-2025-24813 Vulnerability in Tomcat versions 9.0, 10.1 and 11.0

[mrwerdo...@gmail.com]

Hi Tim and others,   On DSpace 8.0 I have been able to change the version using the attached patch file. I found that the tomcat.version property alone wasn’t enough to change it and so ended up overriding the dependencies.   -Andrew   From: DSpace Technical Support <dspace-tech@googlegroups.com> Date: Wednesday, 19 March 2025 at 8:33 AM To: DSpace Technical Support <dspace-tech@googlegroups.com> Subject: Re: [Extern] [dspace-tech] CVE-2025-24813 Vulnerability in Tomcat versions 9.0, 10.1 and 11.0 Hi Michael, Good question. If you are using the embedded Tomcat (provided by Spring Boot and introduced in DSpace 8), then you should be able to tell Spring Boot to build with a different version by specifying this property in your Parent POM (the root "pom.xml" in the src folder): <tomcat.version>10.1.39</tomcat.version> This setting would go in the "<properties>" section alongside all the other version tags that DSpace uses during the build process: https://github.com/DSpace/DSpace/blob/dspace-8.1/pom.xml#L19   Alternatively, if you are running DSpace 8.1 already, you could updated the existing "spring-boot.version" setting to be: "<spring-boot.version>3.4.3</spring-boot.version>", as that will also pull in a fixed version of Tomcat 10.1.x.  (I'm not sure that change will work with an 8.0 installation though, because it used an older version of Spring Boot.)   After making either of these changes to your pom.xml, you would need to rebuild your DSpace installation, at which point Spring Boot should pull in an updated version of Tomcat. Tim   On Tuesday, March 18, 2025 at 11:52:41 AM UTC-5 Michael Plate wrote: Hi Tim, thanks for the information. What about those of us running the embedded version in server-boot.jar - looking at the logs ours tells 2025-03-18 17:35:00,130 INFO unknown unknown org.apache.catalina.core.StandardEngine @ Starting Servlet engine: [Apache Tomcat/10.1.24] Version seems to be 10.1.24 . Presumably we do need to rebuild ? My maven repo contains this: .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/ 10.1.24 9.0.75 Cleaning the maven repo and rebuilding did not update to anything newer than 10.1.24. How to does one continue ? CU Michael Am 18.03.25 um 17:16 schrieb DSpace Technical Support: > All, > > You may have already come across this, but Apache Tomcat has had a major > RCE (Remove Code Execution) vulnerability (CVE-2025-24813) announced > within the last week, and exploits are already occurring. […] -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/10c94e72-d977-436a-bb78-2d97f878967cn%40googlegroups.com. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/512E11F1-E5C9-1142-901B-1CBC8970EAAB%40hxcore.ol.

patch.diff
Description: Binary data