Major news carriers have been reporting recently on Spring Framework Remote Code Execution (RCE) vulnerabilities in Java applications that utilize Spring. VMWare has also posted on the issue in detail. It is fair to say that the specifics of mitigation are still being worked out. However, both the OME team in Dundee as well as Glencoe Software have evaluated the libraries used by OMERO.server and OMERO.insight. We can say with confidence that OMERO and OMERO Plus are not vulnerable as they do not utilize Spring MVC, Spring WebFlux, or Tomcat. Neither pieces of software parse user input via Spring’s Data Binding infrastructure.
— April 1, 2022
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18