Vulnerabilities 2022

Text4Shell CVE-2022-42889 information

First published: 21 October 2022

Last update: 27 October 2022

ID: PDO03176

Summary

Apache Commons Text library filed a security vulnerability CVE-2022-42889 that allows arbitrary code execution or contact with remote servers.

Fabasoft Folio and Fabasoft Business Process Cloud include the library, but do not use any function that is affected by the security vulnerability.

Nevertheless Fabasoft will update the library in its products as precaution.

Impact

No Fabasoft products are impacted by the Text4Shell vulnerability.

Remediation

Although no Fabasoft product is using a vulnerable function of the library, Fabasoft will update the Apache Commons Text library in its products.

Fabasoft Business Process Cloud

The Fabasoft Business Process Cloud will be updated on 26th October 2022 with the latest fixed Apache Commons Text library.

Fabasoft Folio / Fabasoft eGov-Suite

A preventative hotfix with the updated Apache Commons Text library will be released. See the list of versions below.

Hotfix information

The Apache Commons Text library is part of Fabasoft Folio / Fabasoft eGov-Suite, but no Fabasoft product is affected by the vulnerable functions of the library.

For precaution, Fabasoft provides hotfixes for the following versions:

• Fabasoft Folio / Fabasoft eGov-Suite 2022 September Release (from 22.9.0.326)
• Fabasoft Folio / Fabasoft eGov-Suite 2022 June Release (from 22.6.0.365)
• Fabasoft Folio / Fabasoft eGov-Suite 2022 April Release (from 22.4.0.363)
• Fabasoft Folio / Fabasoft eGov-Suite 2022 Update Rollup 2 (from 22.0.2.38)
• Fabasoft Folio / Fabasoft eGov-Suite 2022 Update Rollup 1 (from 22.0.1.49)
• Fabasoft Folio / Fabasoft eGov-Suite 2022 (from 22.0.0.278)

Versions before Fabasoft Folio / Fabasoft eGov-Suite 2022 do not include the Apache Commons Text library.

Cross Site Scripting due to Object Pointers in Detail View (PDO01731)

First published: 15 July 2022

Last update: 19 July 2022

ID: PDO01731

Affected Components: Fabasoft Cloud, Fabasoft Folio Version 2022 June Release from build 260 to build 303 (22.6.0.260 - 22.6.0.303)

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3

Status: Final

CVEs: -

Summary

Malicious contents can be injected on the web browser client in a detail view.

Impact

An attacker may create an object with the malicious content in the name. If the object is shown in the detail view, code may be executed in the current users’ context in the browser.

Remediation

The cross site scripting vulnerability is fixed.

Fabasoft Cloud

A hotfix was applied in the Fabasoft Cloud at 15. July 2022.

Fabasoft Folio

A hotfix is provided for Fabasoft Folio Version 2022 June Release. It is recommended to install this hotfix.

Hotfix Information

Fixed with following versions Fabasoft Folio:

Fabasoft Folio Version 2022 June Release (Version 22.6.0. 304 )

Client AutoUpdate Harmful Code Installation Vulnerability (FSC33251)

First published: 21 April 2022

Last update: 25 April 2022

ID: FSC33251

Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud

Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH

Status: Final

CVEs: -

Summary

A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).

Affected Fabasoft Folio / Fabasoft eGov-Suite versions:

• Fabasoft Folio / eGov-Suite 2021 Update Rollup 3
• Fabasoft Folio / eGov-Suite 2022
• Fabasoft Business Process Cloud

Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.

Linux and Apple macOS clients are not affected.

Impact

In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.

Remediation

Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.

Fabasoft Business Process Cloud

The current download of the Fabasoft Cloud Client from the Fabasoft Business Process Cloud already includes the hotfixed version of the Fabasoft Cloud Client.

If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.

Hotfix information Fabaosoft Folio / Fabasoft eGov-Suite

Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:

https://at.cloud.fabasoft.com/folio/public/0vmm5s2yvqt5p0pryhjkscvi57

Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.

The following Fabasoft Folio Client build numbers include the correction:

• 22.4.0.45 and above
• 22.2.0.32 and above
• 22.0.0.80 and above
• 21.1.3.55 and above

The correction is already included in the release kits of following versions:

• Fabasoft Folio / eGov-Suite 2022 Update Rollup 1 (22.0.1.x) and higher Update Rollup versions
• Fabasoft eGov-Suite 2022 April Release (from 22.4.0.x) and higher Feature Track versions
• Fabasoft Folio (22.5.0.x) and higher versions

Workaround: Disable Fabasoft Folio Client Update Service

The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.

This service is listed under Windows Services as

• "Fabasoft Folio Client 2022 Update Service", service name is "folioupdatepm22".
• "Fabasoft Folio Client 2021 Update Service", service name is "folioupdatepm21".

Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.

Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)

First published 4 April 2022

Last update: 4 April 2022

ID: FSC33127

Affected Components: Identity Provider of the Fabasoft Cloud, Fabasoft Secomo

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Base Score: 9.8

Status: Final

CVE: CVE-2022-22965

Summary

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Two components of the Fabasoft Cloud used the Spring framework with the affected version: Identity Provider of the Fabasoft Cloud and Fabasoft Secomo.

Impact

Remote code execution (RCE) would have be potentially possible on the affected components.

Remediation

Fabasoft has provided a hotfix in the Fabasoft Cloud for all affected components on 01. April 2022 by updating the Spring framework to the latest version 5.3.18. No other remediation is required by the customer.

Note: Fabasoft Folio and the Fabasoft eGov-Suite do not make use of the Spring framework and are therefore not affected.

More Information

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://tanzu.vmware.com/security/cve-2022-22965

Risk to assign system admin privileges by restricted admin users (eGov14136)

First published: 10 March 2022

Last update: 11 March 2022

ID: eGov14136

Affected Components: Fabasoft eGov-Suite 2019/2020/2021/2022

Severity: not scored

Status: Final

CVEs: -

Summary

Users with a position that has not granted system administrative permissions, may have permissions to edit their own user object, allowing them to self-assign a user role / position with system administrative permissions.

In the Fabasoft eGov-Suite, some positions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") are limited administrative positions, but have permissions to edit their own user object to add the "Systemadministration" position to their own and others user object.

Dependent to the Fabasoft Solution and custom ACLs at the customer's installation, the security leak may or may not be exploited by restricted administrators.

Impact

A Fabasoft eGov-Suite user with restricted administrative permissions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") may be possible to edit the own user object. The user would be possible to add a user role with full administrative privileges.

Remediation

Please double-check all active user objects for the assigned user roles. Check, that only allowed users have the System Administration position.

Hotfix information

Fabasoft provides hotfixes for the following Fabasoft eGov-Suite versions:

• Fabasoft eGov-Suite 2022 (from 22.0.0.244.18)
• Fabasoft eGov-Suite 2021 Update Rollup 3 (from 21.1.3.24.121)
• Fabasoft eGov-Suite 2020 Update Rollup 5 (from 20.1.5.70.34)
• Fabasoft eGov-Suite 2019 Update Rollup 3 (from 19.2.3.131.51)

The correction is already included in:

• Fabasoft eGov-Suite 2022 Update Rollup 1
• Fabasoft eGov-Suite 2022 April Release

With the corrected functionality, a special security check is performed when the user roles and tenants are tried to be changed. Furthermore, an auditlog entry is written on any change of the user roles.

Fabasoft recommends to contact your Fabasoft representative to check your installation against the issue.