You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2022-10-05 11:36:12

francois-teclib
Expert GLPI
From: TECLIB
Registered: 2006-11-05
Posts: 76
Website

Important message about security (9.5.9 / 10.0.3)!

We published corrective versions on september 14, 2022:

  • 9.5.9 : 9.5.9-DOWNLOAD_GLPI-green.svg?logo=php&logoColor=white&style=for-the-badge?logo=php&logoColor=white&style=for-the-badge

  • 10.0.3 : 10.0.3-DOWNLOAD_GLPI-green.svg?logo=php&logoColor=white&style=for-the-badge?logo=php&logoColor=white&style=for-the-badge

These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).

If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).

We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files.

We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.

We invite you to correctly re-install your GLPI as indicated in the documentation:

  • from an empty folder

  • copy the files from the archive of the latest version

  • get your `config/` and `files/` directories from the old instance.

Workarounds to deal with RCE urgency (this does not fix SQL injection):

  • delete the `vendor/htmlawed/htmlawed/htmLawedTest.php` file (be careful not to touch the `htmLawed.php` file which is legitimate).

  • prevent web access to the `vendor/` folder by setting (in the case of Apache for example) an adequate `.htaccess`.

If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.


Besoin d'un support professionnel pour GLPI ? Pensez à GLPI Network ! https://glpi-project.org/fr/tarifs/

Connaissez-vous l'offre Cloud maintenue et supportée par l'équipe qui édite GLPI ?
Vous pouvez tester gratuitement pendant 45 jours ! https://glpi-network.cloud (ou plus si besoin)

Offline

Board footer

Powered by FluxBB