First published: 21 October 2022
Last update: 27 October 2022
Apache Commons Text library filed a security vulnerability CVE-2022-42889 that allows arbitrary code execution or contact with remote servers.
Fabasoft Folio and Fabasoft Business Process Cloud include the library, but do not use any function that is affected by the security vulnerability.
Nevertheless Fabasoft will update the library in its products as precaution.
No Fabasoft products are impacted by the Text4Shell vulnerability.
Although no Fabasoft product is using a vulnerable function of the library, Fabasoft will update the Apache Commons Text library in its products.
The Fabasoft Business Process Cloud will be updated on 26th October 2022 with the latest fixed Apache Commons Text library.
A preventative hotfix with the updated Apache Commons Text library will be released. See the list of versions below.
The Apache Commons Text library is part of Fabasoft Folio / Fabasoft eGov-Suite, but no Fabasoft product is affected by the vulnerable functions of the library.
For precaution, Fabasoft provides hotfixes for the following versions:
Versions before Fabasoft Folio / Fabasoft eGov-Suite 2022 do not include the Apache Commons Text library.
First published: 15 July 2022
Last update: 19 July 2022
Affected Components: Fabasoft Cloud, Fabasoft Folio Version 2022 June Release from build 260 to build 303 (18.104.22.1680 - 22.214.171.1243)
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, Basic Score: 7.3
Malicious contents can be injected on the web browser client in a detail view.
An attacker may create an object with the malicious content in the name. If the object is shown in the detail view, code may be executed in the current usersâ€™ context in the browser.
The cross site scripting vulnerability is fixed.
A hotfix was applied in the Fabasoft Cloud at 15. July 2022.
A hotfix is provided for Fabasoft Folio Version 2022 June Release. It is recommended to install this hotfix.
Fixed with following versions Fabasoft Folio:
Fabasoft Folio Version 2022 June Release (Version 22.6.0. 304 )
First published: 21 April 2022
Last update: 25 April 2022
Affected Components: Fabasoft Folio / Fabasoft eGov-Suite 2021 UR3, Fabasoft Folio / Fabasoft eGov-Suite 2022, Fabasoft Business Process Cloud
Severity: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Total Score: 8,8 HIGH
A privilege escalation is possible by an intruder on a Microsoft Windows client using the Fabasoft Folio/Cloud Client AutoUpdate-Service (installed with the Fabasoft Folio Client from Fabasoft Folio/eGov-Suite 2021 or the Fabasoft Cloud Enterprise Client).
Affected Fabasoft Folio / Fabasoft eGov-Suite versions:
Versions below Fabasoft Folio / eGov-Suite 2021 Update Rollup 3 are not affected.
Linux and Apple macOS clients are not affected.
In the case the vulnerability could be exploited, malicious software can be installed and executed on the client PC.
Fabasoft provides a hotfix for the Fabasoft Folio Client for the affected Fabasoft Folio / eGov-Suite versions. Please install/roll-out this hotfix immediately. If it is not possible to immediately update the Fabasoft Folio Client, see the possible workaround to disable the Fabasoft Folio Client Update Service below.
The current download of the Fabasoft Cloud Client from the Fabasoft Business Process Cloud already includes the hotfixed version of the Fabasoft Cloud Client.
If the Fabasoft Cloud Client is already installed, the update to the hotfixed version is triggered automatically.
Fabasoft provides the hotfixed Fabasoft Folio Client for the affected versions in the following teamroom:
Only the Fabasoft Folio Client on Windows PCs needs to be updated. There is no need to update the Fabasoft Folio / eGov-Suite domain.
The following Fabasoft Folio Client build numbers include the correction:
The correction is already included in the release kits of following versions:
The affected part of the Fabasoft Folio Client is the Fabasoft Folio Client Update Service, that is installed during the Fabasoft Folio Client installation.
This service is listed under Windows Services as
Set the service startup type to "Disabled" via Group Policy. By disabling these services, the security vulnerability cannot be exploited.
First published 4 April 2022
Last update: 4 April 2022
Affected Components: Identity Provider of the Fabasoft Cloud, Fabasoft Secomo
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Base Score: 9.8
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Two components of the Fabasoft Cloud used the Spring framework with the affected version: Identity Provider of the Fabasoft Cloud and Fabasoft Secomo.
Remote code execution (RCE) would have be potentially possible on the affected components.
Fabasoft has provided a hotfix in the Fabasoft Cloud for all affected components on 01. April 2022 by updating the Spring framework to the latest version 5.3.18. No other remediation is required by the customer.
Note: Fabasoft Folio and the Fabasoft eGov-Suite do not make use of the Spring framework and are therefore not affected.
First published: 10 March 2022
Last update: 11 March 2022
Affected Components: Fabasoft eGov-Suite 2019/2020/2021/2022
Severity: not scored
Users with a position that has not granted system administrative permissions, may have permissions to edit their own user object, allowing them to self-assign a user role / position with system administrative permissions.
In the Fabasoft eGov-Suite, some positions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") are limited administrative positions, but have permissions to edit their own user object to add the "Systemadministration" position to their own and others user object.
Dependent to the Fabasoft Solution and custom ACLs at the customer's installation, the security leak may or may not be exploited by restricted administrators.
A Fabasoft eGov-Suite user with restricted administrative permissions (like "Fachadministrator", "Mandantenadministrator" or "Dienststellenadministrator") may be possible to edit the own user object. The user would be possible to add a user role with full administrative privileges.
Please double-check all active user objects for the assigned user roles. Check, that only allowed users have the System Administration position.
Fabasoft provides hotfixes for the following Fabasoft eGov-Suite versions:
The correction is already included in:
With the corrected functionality, a special security check is performed when the user roles and tenants are tried to be changed. Furthermore, an auditlog entry is written on any change of the user roles.
Fabasoft recommends to contact your Fabasoft representative to check your installation against the issue.