Dear IPT users,

This is an important message.

IPT administrators should update their IPTs to the new version 2.3.4 available for download herehttp://repository.gbif.org/content/groups/gbif/org/gbif/ipt/2.3.4/ipt-2.3.4.war [1], which has a security update.

Note this version requires Java8 to run and instructions on how to upgrade to this version can be found in the Release Noteshttps://github.com/gbif/ipt/wiki/IPTReleaseNotes233.wiki [2].

The security update fixes a critical vulnerabilityhttps://struts.apache.org/docs/s2-045.html [3] that has been discovered in the Apache Struts web framework, which the IPT uses.

According to this articlehttp://thehackernews.com/2017/03/apache-struts-framework.html [4], this is a remote code execution vulnerability that could allow hackers to execute malicious commands on the IPT server. It also says that hackers are actively exploiting this vulnerability.

If you don't have time to update your IPT immediately, I would advise you to take it offline until you can.

Sincerely,

Kyle Braak

IPT Product Manager GBIF Secretariat

[1] http://repository.gbif.org/content/groups/gbif/org/gbif/ipt/2.3.4/ipt-2.3.4.... [2] https://github.com/gbif/ipt/wiki/IPTReleaseNotes233.wiki [3] https://struts.apache.org/docs/s2-045.html [4] http://thehackernews.com/2017/03/apache-struts-framework.html