dm Server Known Vulnerabilities and Issues
Components of dm Server
SpringSource dm Server is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.
| Component | Security advisories |
|---|---|
| Apache Tomcat 6 | Tomcat 6 security advisories |
| Spring Framework | Spring Framework security advisories |
| Dojo | Dojo security advisories |
dm Server is built using the following versions of these components
| dm Server version | Apache Tomcat version | Spring Framework version | dojo version |
|---|---|---|---|
| 2.0.5.RELEASE | 6.0.32.S2-r1673 | 3.0.0.RELEASE | 1.3.3 |
| 2.0.4.RELEASE | 6.0.29.S2-r1559 | 3.0.0.RELEASE | 1.3.3 |
| 2.0.3.RELEASE | 6.0.20.S2-r5956 | 3.0.0.RELEASE | 1.3.3 |
| 2.0.2.RELEASE | 6.0.20.S2-r5956 | 3.0.0.RELEASE | 1.3.3 |
| 2.0.1.RELEASE | 6.0.20.S2-r5956 | 3.0.0.RELEASE | 1.3.3 |
| 2.0.0.RELEASE | 6.0.20.S2-r5956 | 3.0.0.RELEASE | 1.3.2 |
| 1.0.2.SR02 | 6.0.18 | 2.5.6.A | - |
Note that CVE-2009-3548, a vulnerability in Apache Tomcat 6.0.20, does not affect dm Server since dm Server does not use the Windows installer provided with Tomcat.
Note that CVE-2009-3555, the SSL protocol MITM vulnerability, may be worked around via configuration. Details are provided on the Tomcat 6 security advisories page.
To address vulnerabilities in Spring Framework, upgrade to dm Server 2.0.x, replace the Spring Framework bundles and the file org.springframework.spring-library-<version>.libd in the repository/ext directory with the corresponding files from the updated Spring Framework, then restart dm Server with the -clean option.
Known Vulnerabilities in dm Server
There are no known vulnerabilities in dm Server over and above those known to exist in the components of dm Server