Vulnerabilities 2022Permanent link for this heading

Text4Shell CVE-2022-42889 informationPermanent link for this heading

First published: 21 October 2022

Last update: 27 October 2022

ID: PDO03176

SummaryPermanent link for this heading

Apache Commons Text library filed a security vulnerability CVE-2022-42889 that allows arbitrary code execution or contact with remote servers.

Fabasoft Folio and Fabasoft Business Process Cloud include the library, but do not use any function that is affected by the security vulnerability.

Nevertheless Fabasoft will update the library in its products as precaution.

ImpactPermanent link for this heading

No Fabasoft products are impacted by the Text4Shell vulnerability.

RemediationPermanent link for this heading

Although no Fabasoft product is using a vulnerable function of the library, Fabasoft will update the Apache Commons Text library in its products.

Fabasoft Business Process CloudPermanent link for this heading

The Fabasoft Business Process Cloud will be updated on 26th October 2022 with the latest fixed Apache Commons Text library.

Fabasoft Folio / Fabasoft eGov-SuitePermanent link for this heading

A preventative hotfix with the updated Apache Commons Text library will be released. See the list of versions below.

Hotfix informationPermanent link for this heading

The Apache Commons Text library is part of Fabasoft Folio / Fabasoft eGov-Suite, but no Fabasoft product is affected by the vulnerable functions of the library.

For precaution, Fabasoft provides hotfixes for the following versions:

  • Fabasoft Folio / Fabasoft eGov-Suite 2022 September Release (from 22.9.0.326)
  • Fabasoft Folio / Fabasoft eGov-Suite 2022 June Release (from 22.6.0.365)
  • Fabasoft Folio / Fabasoft eGov-Suite 2022 April Release (from 22.4.0.363)
  • Fabasoft Folio / Fabasoft eGov-Suite 2022 Update Rollup 2 (from 22.0.2.38)
  • Fabasoft Folio / Fabasoft eGov-Suite 2022 Update Rollup 1 (from 22.0.1.49)
  • Fabasoft Folio / Fabasoft eGov-Suite 2022 (from 22.0.0.278)

Versions before Fabasoft Folio / Fabasoft eGov-Suite 2022 do not include the Apache Commons Text library.

Cross Site Scripting due to Object Pointers in Detail View (PDO01731) Permanent link for this heading

First published: 15 July 2022

Last update: 19 July 2022

ID: PDO01731

Affected Components: Fabasoft Cloud, Fabasoft Folio Version 2022 June Release from build 260 to build 303 (22.6.0.260 - 22.6.0.303)

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3

Status: Final

CVEs: -

Summary Permanent link for this heading

Malicious contents can be injected on the web browser client in a detail view.

Impact Permanent link for this heading

An attacker may create an object with the malicious content in the name. If the object is shown in the detail view, code may be executed in the current users’ context in the browser.

Remediation Permanent link for this heading

The cross site scripting vulnerability is fixed.

Fabasoft Cloud Permanent link for this heading

A hotfix was applied in the Fabasoft Cloud at 15. July 2022.

Fabasoft Folio Permanent link for this heading

A hotfix is provided for Fabasoft Folio Version 2022 June Release. It is recommended to install this hotfix.

Hotfix Information Permanent link for this heading

Fixed with following versions Fabasoft Folio:

Fabasoft Folio Version 2022 June Release (Version 22.6.0.304)

Client AutoUpdate Harmful Code Installation Vulnerability (FSC33251) Permanent link for this heading

First published: 21 April 2022

Last update: 25 April 2022

ID: FSC33251

Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud

Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH

Status: Final

CVEs: -

Summary Permanent link for this heading

A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).

Affected Fabasoft Folio / Fabasoft eGov-Suite versions:

  • Fabasoft Folio / eGov-Suite 2021 Update Rollup 3
  • Fabasoft Folio / eGov-Suite 2022
  • Fabasoft Business Process Cloud

Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.

Linux and Apple macOS clients are not affected.

Impact Permanent link for this heading

In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.

Remediation Permanent link for this heading

Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.

Fabasoft Business Process Cloud Permanent link for this heading

The current download of the Fabasoft Cloud Client from the Fabasoft Business Process Cloud already includes the hotfixed version of the Fabasoft Cloud Client.

If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.

Hotfix information Fabaosoft Folio / Fabasoft eGov-Suite Permanent link for this heading

Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:

https://at.cloud.fabasoft.com/folio/public/0vmm5s2yvqt5p0pryhjkscvi57

Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.

The following Fabasoft Folio Client build numbers include the correction:

22.4.0.45 and above

22.2.0.32 and above

  • 22.0.0.80 and above
  • 21.1.3.55 and above

The correction is already included in the release kits of following versions:

  • Fabasoft Folio / eGov-Suite 2022 Update Rollup 1 (22.0.1.x) and higher Update Rollup versions
  • Fabasoft eGov-Suite 2022 April Release (from 22.4.0.x) and higher Feature Track versions
  • Fabasoft Folio (22.5.0.x) and higher versions

Workaround: Disable Fabasoft Folio Client Update Service Permanent link for this heading

The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.

This service is listed under Windows Services as

  • "Fabasoft Folio Client 2022 Update Service", service name is "folioupdatepm22".
  • "Fabasoft Folio Client 2021 Update Service", service name is "folioupdatepm21".

Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.


Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965) Permanent link for this heading

First published 04 April 2022

Last update: 4 April 2022

ID: FSC33127

Affected Components: Identity Provider of the Fabasoft Cloud, Fabasoft Secomo

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Base Score: 9.8

Status: Final

CVE: CVE-2022-22965

Summary Permanent link for this heading

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Two components of the Fabasoft Cloud used the Spring framework with the affected version: Identity Provider of the Fabasoft Cloud and Fabasoft Secomo.

Impact Permanent link for this heading

Remote code execution (RCE) would have be potentially possible on the affected components.

Remediation Permanent link for this heading

Fabasoft has provided a hotfix in the Fabasoft Cloud for all affected components on 01. April 2022 by updating the Spring framework to the latest version 5.3.18. No other remediation is required by the customer.

Note: Fabasoft Folio and the Fabasoft eGov-Suite do not make use of the Spring framework and are therefore not affected.

More Information Permanent link for this heading

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://tanzu.vmware.com/security/cve-2022-22965