Important message about security (9.5.9 / 10.0.3)!

francois-teclib · 2022-10-05 11:36:12

We published corrective versions on september 14, 2022:

9.5.9 :
10.0.3 :

These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).

If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).

We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files.

We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.

We invite you to correctly re-install your GLPI as indicated in the documentation:

from an empty folder
copy the files from the archive of the latest version
get your `config/` and `files/` directories from the old instance.

Workarounds to deal with RCE urgency (this does not fix SQL injection):

delete the `vendor/htmlawed/htmlawed/htmLawedTest.php` file (be careful not to touch the `htmLawed.php` file which is legitimate).
prevent web access to the `vendor/` folder by setting (in the case of Apache for example) an adequate `.htaccess`.

If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.

Forum GLPI-Project

Announcement

#1 2022-10-05 11:36:12

Important message about security (9.5.9 / 10.0.3)!

Board footer