[Gmod-ajax] Apollo 2.8.0 released — Important Security Update

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Version 2.8.0 of Apollo has been released:
https://github.com/GMOD/Apollo/releases/tag/2.8.0.

This release fixes security vulnerabilities in Apollo versions 2.4.0
through 2.7.0. For a detailed report of these vulnerabilities, please see
https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07.

In summary, the discovered vulnerabilities include the ability of a
malicious user to escalate their privileges within the Apollo app to admin
levels (that is, they can become an Apollo administrator), the ability to
retrieve a list of email addresses of other Apollo users, and - most
seriously of all - the ability to upload arbitrary files to the file system
in any directory writable by the Tomcat process that runs the Apollo
server. While the Tomcat documentation recommends not running Tomcat as the
root user, this advice is often ignored by Linux distributions; for
example, in Ubuntu, Tomcat runs as root. Consequently it seems likely that
many installations will face the worst-case scenario that a malicious user
could upload system files that would allow remote access to the Apollo
server.

*It is critical that you update your Apollo 2.4.0 to 2.7.0 installations as
soon as possible.* While we are not aware of any active exploitation of
these vulnerabilities, it is only a matter of time before publicly
disclosed vulnerabilities are systematically exploited by hackers.
Consequently, we strongly recommend applying the update to protect your
systems.

We also want to make it clear that these patches only apply to the legacy
2.0 version of Apollo. Since 2018, Apollo development has been folded into
the JBrowse project, and the recently released version of Apollo (v3.0) was
designed with security principles built in from the start. Naturally, as
maintainers of version 2.0, we take your system security extremely
seriously and have made every effort to provide this security update in as
timely a fashion as possible.

In addition to the aforementioned Apollo vulnerabilities, the CISA
researchers also discovered a reflected cross-site scripting (XSS)
vulnerability in JBrowse 1, and we have included a patch for this as well.
We also note that, as with the Apollo 2 flaws, these security flaws do not
apply to the latest version of JBrowse (JBrowse 2), which was designed with
stronger security patterns from the outset.

If you are using Docker to deploy Apollo, there are two different images
you can choose from. The gmod/apollo:release-2.8.0-alternate
<https://hub.docker.com/repository/docker/gmod/apollo/tags/release-2.8.0-alternate/sha256-a5d65e04fc597f0f71ea2c97dd6174ea1f1cca43912be53e3733c4fad2ee30e9>
image will provide a drop-in replacement for your existing Docker image.
This image, however, like past images, runs as the root user. If you would
like the additional security of not running as a root user, you can
use the gmod/apollo:release-2.8.0
image
<https://hub.docker.com/repository/docker/gmod/apollo/tags/release-2.8.0/sha256-9760d56c6ec28edc2d3793ed11e7e659da2a7ac1973f3b1cfa32517551c2ff46>,
which does not run as the root user, but will require you to update any
mounted directories so they are accessible by a non-root user.

We understand that updates are inconvenient, but we emphasize that taking
this proactive step is essential to ensuring the security of your systems.

Sincerely,

The Apollo Team