Dear IPT users,

This is an important message. 

IPT administrators should update their IPTs to the new version 2.3.4 available for download here [1], which has a security update.

Note this version requires Java8 to run and instructions on how to upgrade to this version can be found in the Release Notes [2].

The security update fixes a critical vulnerability [3] that has been discovered in the Apache Struts web framework, which the IPT uses. 

According to this article [4], this is a remote code execution vulnerability that could allow hackers to execute malicious commands on the IPT server. It also says that hackers are actively exploiting this vulnerability.

If you don't have time to update your IPT immediately, I would advise you to take it offline until you can.

Sincerely,

Kyle Braak

IPT Product Manager
GBIF Secretariat

[1] http://repository.gbif.org/content/groups/gbif/org/gbif/ipt/2.3.4/ipt-2.3.4.war
[2] https://github.com/gbif/ipt/wiki/IPTReleaseNotes233.wiki 
[3] https://struts.apache.org/docs/s2-045.html 
[4] http://thehackernews.com/2017/03/apache-struts-framework.html