search

HakaiInstitute / hakai-erddap

Hakai Datasets that are going into https://catalogue.hakai.org/erddap/
1 stars 0 forks source link

Vulnerability with postgresql driver #174

Open JessyBarrette opened 9 months ago

JessyBarrette commented 9 months ago

We would need to fix this. Perhaps this will be fixed within the erddap-docker container prior to us


A critical vulnerability has been identified in the Postgresql JDBC driver.  If you are using Postgresql with ERDDAP,  please update as soon as possible and let us know if it causes any problems.  In the instructions it points to:

> https://mvnrepository.com/artifact/org.postgresql/postgresql

as one place to get the driver.  The instructions on where to put the JDBC driver and other settings are:

> JDBC Driver and <driverName> -- You must get the appropriate JDBC 3 or JDBC 4 driver .jar file for your database and
> put it in tomcat/webapps/erddap/WEB-INF/lib after you install ERDDAP. Then, in your datasets.xml for this dataset, you must specify the <driverName> for this driver, which is (unfortunately) different from the filename. Search on the web for the JDBC driver for your database and the driverName that Java needs to use it.
>
> After you put the JDBC driver .jar in ERDDAP lib directory, you need to add a reference to that .jar file in the .bat and/or .sh script files for GenerateDatasetsXml, DasDds, and ArchiveADataset which are in the tomcat/webapps/erddap/WEB-INF/ directory; otherwise, you'll get a ClassNotFoundException when you run those scripts.

Note that this update can be done without an update to the rest of ERDDAP,  but as always we recommend running  the latest version of ERDDAP  (presently 2.23).
steviewanders commented 9 months ago

Can you post the original text/document. Missing details and context.

JessyBarrette commented 9 months ago

This is coming from the ERDDAP google chat. Here's the thread https://groups.google.com/g/erddap/c/HrqztnJEBBc/m/P_3vdxkyAwAJ?utm_medium=email&utm_source=footer

JessyBarrette commented 9 months ago

FIY this is also where all the historical discussions regarding ERDDAP lives. Some of it is now living within the ERDDAP GitHub Repository.

JessyBarrette commented 9 months ago

Seems straightforward to manage our side by mounting the driver within the containers either via docker-compose for the present main/dev branch or Dockerfile for caprover-deploy

This is only affecting the Hakai ERDDAP which pointing to the Hakai PostgreSQL database.

steviewanders commented 9 months ago

This is coming from the ERDDAP google chat. Here's the thread https://groups.google.com/g/erddap/c/HrqztnJEBBc/m/P_3vdxkyAwAJ?utm_medium=email&utm_source=footer

This also does not link to or mention what the actual vulnerability is or a CVE?

steviewanders commented 9 months ago

https://github.com/advisories/GHSA-v7wg-cpwc-24m4

steviewanders commented 9 months ago

Basically only an issue if you expose the Postgresql connection string, which we do not.

So can be fixed as part of a normal upgrade process, whatever we decide that is.

@JessyBarrette Can you link to the commit to the Dockerfile that is being deployed here when you upgrade it please.