Vulnerabilities earlier than 2020

glibc vulnerability (CVE-2015-7547)

First published: 19 February 2016

Last update: 25 November 2020

ID: -

Affected Components: Red Hat Enterprise Linux / CentOS

Severity: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.1 (High)

Status: Final

CVEs: CVE-2015-7547

Information

The following information was made available by Red Hat concerning this vulnerability: A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.

For further information, please refer to the References section.

Solution

At the moment we do not know about specific security issues in our products based on this vulnerability.

Regardless of this, we advise that all Linux servers using a vulnerable version of glibc are patched immediately, as there might be currently unknown situations or other vulnerable services active that may compromise the systems integrity.

Following an update of glibc there may be a change in the locale settings leading to a different localisation appearance for some Fabasoft products (eg. timestamps, currency display).
If you experience problems, such as an incorrect date format, please rerun the setup of the Fabasoft product to correct the system settings. For further information, please refer to the Applies to section.

Reruninng the Setup is required for versions earlier than

Fabasoft eGov-Suite 2013

Fabasoft Folio 2012 Spring Release

References

• CVE-2015-7547 (Red Hat)
• CVE-2015-7547 (Mirte)
• CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Applies to

• Fabasoft Folio
• Fabasoft eGov-Suite
• Fabasoft Mindbreeze

glibc "GHOST" vulnerability (CVE-2015-0235)

Last update: 6 November 2020

Summary

This is an advisory regarding a security issue in the glibc library also known as GHOST.

Information

The following information was made available by Red Hat concerning this vulnerability: A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

For further information, please refer to the References section.

Solution

Current analysis of our products indicated that there is no known security issue based on this vulnerability.

Regardless of this, we advise that all Linux servers using a vulnerable version of glibc are patched immediately, as there might be currently unknown situations or other vulnerable services active that may compromise the systems integrity.

Following an update of glibc there may be a change in localisation for some Fabasoft products.
If you experience problems, such as an incorrect date format, please rerun the setup of the Fabasoft product to correct the system settings

References

• RHSA-2015:0092-1 - Critical: glibc security update (Red Hat)
• CVE-2015-0235 (Mirte)
• Critical glibc update (CVE-2015-0235) in gethostbyname() calls
• Ghost: Uralte Lücke in Glibc bedroht Linux-Server (Heise)

Applies to

• Fabasoft Folio
• Fabasoft eGov-Suite
• Fabasoft Mindbreeze

Bash vulnerability (CVE-2014-6271 and CVE-2014-7169)

Last update: 6 November 2020

Summary

This is an information regarding a security issue in the Unix Bash (Bourne Again Shell) commonly used in Linux environments as well as Mac OS.

Information

CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

CVE-2014-7169
This CVE describes the incomplete fix of CVE-2014-6271 in the first round of patches

For further information, please refer to the References section.

Fabasoft Products

Due to the fact that Fabasoft products do not use CGI Scripts on Linux environments they are not directly affected by this vulnerability.

Solution

We strongly suggest you immediately install the latest patches for the bash executable on all systems!

All major Linux distribution have released patches, both for the original and the followup CVE. So far there are no known problems with either of these patches. As of writing this article the second patch has not yet been distributed to all patch mirrors, due to this it is advised to verify the version of the patch provided from your mirror.

References

• NVD - Vulnerability Summary for CVE-2014-6271
• NVD - Vulnerability Summary for CVE-2014-7169
• CVE - CVE-2014-6271
• CVE - CVE-2014-7169
• Update on CVE-2014-6271: Vulnerability in bash (shellshock)

Applies to

• All Fabasoft products running on an Linux environment

ImageMagick vulnerability (CVE-2016-3714, CVE-2016-3718, FSC03839)

First published: 09 May 2016

Last update: 25 November 2020

ID: FSC03839

Affected Components: Fabasoft Folio

Severity: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.4 (High)

Status: Final

CVEs: CVE-2016-3714 , CVE-2016-3718

Information

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

For further information, please refer to the References section.

Solution

Currently it is possible to deactivate the vulnerable conversions by including the following lines in the <policymap> tag of your policy.xml for ImageMagick:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />

Please be aware that adding the above lines will currently lead to an error while converting svg files.

How to apply

Linux

• Add the above mentioned lines to the /etc/fabasoft/magick/policy.xml file.
• Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration ( a reload is not sufficient ).

Windows

• Create a new environment variable named MAGICK_CONFIGURE_PATH and point it to a directory which all service users are allowed to access.
• Download the standard policy.xml from the ImageMagick website and save it to this directory ( https://www.imagemagick.org/source/policy.xml ).
• Edit the file and add the lines mentioned above.
• Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration ( a reload is not sufficient ).

Hotfix information

The fixed ImageMagick library is shipped with Fabasoft Folio from these versions:

• Fabasoft Folio 2013 UR6 (from 13.0.13.36)
• Fabasoft Folio 2014 UR6 (from 14.0.13.42)
• Fabasoft Folio 2015 UR3 and above
• Fabasoft Folio 2016 UR1 and above
• Fabasoft Folio 2017
• and all higher Fabasoft Folio versions and Update Rollups

References

• CVE - CVE-2016-3714
• CVE - CVE-2016-3715
• CVE - CVE-2016-3716
• CVE - CVE-2016-3717
• CVE - CVE-2016-3718
• ImageTragick
• ImageMagick: Resources listing

Applies to

• All current versions

http.sys MS15-034 vulnerability (CVE-2015-1635)

First published: 15 April 2015

Last update: 25 November 2020

ID:

Affected Components: Fabasoft Folio on Microsoft Windows Server 2008 R2, Microsoft Windows Server 2012 and R2

Severity: AV:N/AC:L/Au:N/C:C/I:C/A:C, Basic Score: 10.0 (High)

Status: Final

CVEs: CVE-2015-1635

Summary

This is an information regarding a security issue in the Windwos HTTP protocol stack (HTTP.sys) used in Windows Operating Systems. Most importantly this vulnerability affects the Internet Information System (IIS) Component of Windwos Server environments.

Information

CVE-2015-1635
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

Fabasoft Products
Our internal tests when using the KB3042553 provided by Microsoft have shown no negative effects on any of our products

Solution

We strongly recommend you to install the Microsoft KB3042553 Patch on all systems!

So far there are no known problems with this patch.

References

• Microsoft Security Bulletin MS15-034 - Critical
• CVE-2015-1635
• NVD - Vulnerability Summary for CVE-2015-1635

Applies to

All Fabasoft products running on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Java vulnerability (CVE-2014-4244)

Last update: 6 November 2020

Summary

This is an information regarding a security issue in Oracle Java SE (Standard Edition) and Oracle JRockit.

Information

An undisclosed vulnerability has been found in Oracle Java SE (Standard Edition) and Oracle JRockit.

According to the Oracle Critical Patch Update Advisory - July 2014 this vulnerability applies to "...client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service."

For further information, please refer to the References section.

Solution

Oracle Java SE 6 Update 75 and lower

Although the CVE-2014-4244 vulnerability also applies to versions of Java SE 6 Update 75 (6u75) and earlier, the support for Java SE 6 has expired and new versions of Java SE 6 are only available through the Java SE Support program. Therefore, assistance with the upgrade of Java SE 6 can only be provided by your Oracle software vendor.

Oracle Java SE 7 Update 60 and lower

If you are using Java SE 7 Update 60 (7u60) or lower we recommend to update to Java SE 7 Update 65 (7u65), available from Oracle.

The Java binary is used in a wide range of Fabasoft products, including Fabasoft Folio, Fabasoft eGov-Suite and Fabasoft Mindbreeze.

Warning: Upgrading your Java SE version may lead to unexpected behaviour. Please test extensively before issuing the update on a productive system.

Fabasoft Folio / Fabasoft eGov-Suite

For all versions of Fabasoft Folio and Fabasoft eGov-Suite that support Java SE 7, no additional steps need to be taken after upgrading the Java SE version.

Fabasoft Mindbreeze

If you are using a version of Fabasoft Mindbreeze that supports Java SE 7, you need to apply a hotfix in addition to updating to Java SE 7 Update 65.

Note: If you require the aforementioned hotfix for your Fabasoft Mindbreeze installation, please contact Fabasoft Support.

Oracle Java SE 8 Update 5 and lower

Currently no versions of Fabasoft products require Java SE 8 in any affected version.

References

• CVE-2014-4244
• NVD - Vulnerability Summary for CVE-2014-4244
• Oracle Critical Patch Update Advisory - July 2014

Applies to

• Fabasoft Folio
• Fabasoft eGov-Suite
• Fabasoft Mindbreeze

OpenSSL "Heartbleed" vulnerability (CVE-2014-0160)

Last update: 6 November 2020

Summary

This is an information regarding a security issue in the OpenSSL library.

Notice: This is an urgency released article. Further information may be added, therefore please re-check for information updates.

Information

A severe programming error has been identified in the OpenSSL library, which affects the most recent versions of the OpenSSL library. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

More information can be found at:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
• http://heartbleed.com/
• http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-Horror-Bug-in-OpenSSL-2165517.html (German)

Solution

If you use SSL on your server for any service we strongly suggest that you make sure your server is not vulnerable, and if it is vulnerable that you apply the fixes which have already been provided by most operating system vendors.

The OpenSSL library is used in a wide range of Fabasoft products as well, including Fabasoft Folio, Fabasoft eGov-Suite, Fabasoft Mindbreeze and Fabasoft app.telemetry.

Fabasoft Folio / Fabasoft eGov-Suite

The IMAP Server functionality in the following Fabasoft Folio versions may be affected (both Microsoft Windows and Linux):

• Fabasoft Folio 2012 Fall Release
• Fabasoft Folio 2013 Winter Release (fixed with Update Rollup 1 for Fabasoft Folio 2013 Winter Release)
• Fabasoft eGov-Suite 2013 (fixed with Update Rollup 1 for Fabasoft eGov-Suite 2013)
• Fabasoft Folio 2013 Spring Release
• Fabasoft Folio 2013 Summer Release
• Fabasoft Folio 2013 Fall Release
• Fabasoft Folio 2014 Winter Release (fixed with Update Rollup 1 for Fabasoft Folio 2014 Winter Release)
• Fabasoft Folio 2014 Spring Release

If you use Fabasoft IMAP Server in one of these listed versions, please contact Fabasoft Support to request a hotfix with an updated OpenSSL library.

Also other parts of Fabasoft Folio / Fabasoft eGov-Suite are using OpenSSL statically or included in a Fabasoft binary, but only for internal service communication, not for communication between users and Fabasoft Folio / Fabasoft eGov-Suite. Therefore the risk of the OpenSSL security issue is much lower in this area. Hotfixes with an updated OpenSSL library are available as listed above.

Fabasoft products potentially affected by a vulnerable operating system's OpenSSL library

Fabasoft products and components installed on Linux operating systems are using the OpenSSL library of the operating system:

• Fabasoft Folio and eGov-Suite Services running on Apache webserver with SSL (Web services, Conversion services, and so on)
• Mindbreeze Enterprise Search Client Services and Management
• Fabasoft app.telemetry Server
• Fabasoft app.telemetry Agent

Fabasoft suggests to update all affected operating systems to the latest OpenSSL library. Fabasoft products installed under Microsoft Windows use the unaffected Microsoft SSL implementation.

Applies to

• Fabasoft Folio 2012 Fall Release
• Fabasoft Folio 2013 Winter Release
• Fabasoft eGov-Suite 2013
• Fabasoft Folio 2013 Spring Release
• Fabasoft Folio 2013 Summer Release
• Fabasoft Folio 2013 Fall Release
• Fabasoft Folio 2014 Winter Release
• Fabasoft Folio 2014 Spring Release

Liferay Portlet Cross-Site Scripting vulnerability

First published: 6 November 2013

Last update: 6 November 2013

ID: -

• Affected Components: Fabasoft Folio (up to and including 2012 Fall Release), Fabasoft eGov-Suite (up to and including 2012)

Severity: (not measured)

Status: Final

CVEs: (unknown)

Summary

A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.

Information

An attacker can exploit this vulnerability to run JavaScript code on the client machine.

An article about the risks of cross-site scripting (XSS) can be found at Wikipedia.

Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.

Solution

A hotfix for the portlet is available for the Fabasoft software versions listed below.

If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.

Applies to

• Fabasoft Folio (up to and including 2012 Fall Release)
• Fabasoft eGov-Suite (up to and including 2012)
• Hotfix-Builds with build number 12.0.7.116 and above already include the hotfix

MHTML Script Injection vulnerability (Microsoft KB 2501696)

Information

On January 28th 2011 Microsoft has released the Security Advisory 2501696 concerning a MHTML Script Injection vulnerability in Microsoft Internet Explorer. In context of this Security Advisory and respectively KB 2501696 Microsoft released a FixIt to address this issue preliminary to an official hotfix. According to Microsoft the only side effects they have encountered are script execution and ActiveX being disabled within MHT documents.

As Microsoft expects limited impacts in most environments due to the changes mentioned above, exploratory tests have shown no impact on Fabasoft Folio or the Fabasoft eGov-Suite. These tests have been performed using

• Fabasoft Folio 2010 Fall Release
• Fabasoft Folio 2010 Summer Release
• Fabasoft Folio 2010 Spring Release
• Fabasoft Folio 2009 Fall Release
• Fabasoft eGov-Suite 8.0 SP1
• Fabasoft eGov-Suite 8.0
• Fabasoft eGov-Suite 7.0 SP3
• Fabasoft eGov-Suite 7.0 SP2

In general, Fabasoft Folio 2009 Fall Release (and higher) respectively Fabasoft eGov-Suite 8.0 (and higher) might not be affected as MHT is not used (e.g. for object-overviews) in these versions. As PDF-overviews are used instead we can't see an impact on these versions.

In contrast Fabasoft eGov-Suite 7.0 SP2 and SP3 used MHT e.g for file overviews and could be affected by this security enhancement by Microsoft. Nevertheless, no impact could be found in our basic tests using file-overviews and file-documentations.

Please note that no comprehensive regression testing has been performed. This information is provided "as is" with no warranties. We suggest further testing in your environment if you are planning to deploy this security enhancement.