First published: 19 February 2016
Last update: 25 November 2020
ID: -
Affected Components: Red Hat Enterprise Linux / CentOS
Severity: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.1 (High)
Status: Final
CVEs: CVE-2015-7547
The following information was made available by Red Hat concerning this vulnerability: A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
For further information, please refer to the References section.
At the moment we do not know about specific security issues in our products based on this vulnerability.
Regardless of this, we advise that all Linux servers using a vulnerable version of glibc are patched immediately, as there might be currently unknown situations or other vulnerable services active that may compromise the systems integrity.
Following an update of glibc there may be a change in the locale settings leading to a different localisation appearance for some Fabasoft products (eg. timestamps, currency display).
If you experience problems, such as an incorrect date format, please rerun the setup of the Fabasoft product to correct the system settings. For further information, please refer to the Applies to section.
Reruninng the Setup is required for versions earlier than
Fabasoft eGov-Suite 2013
Fabasoft Folio 2012 Spring Release
Last update: 6 November 2020
This is an advisory regarding a security issue in the glibc library also known as GHOST.
The following information was made available by Red Hat concerning this vulnerability: A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
For further information, please refer to the References section.
Current analysis of our products indicated that there is no known security issue based on this vulnerability.
Regardless of this, we advise that all Linux servers using a vulnerable version of glibc are patched immediately, as there might be currently unknown situations or other vulnerable services active that may compromise the systems integrity.
Following an update of glibc there may be a change in localisation for some Fabasoft products.
If you experience problems, such as an incorrect date format, please rerun the setup of the Fabasoft product to correct the system settings
Last update: 6 November 2020
This is an information regarding a security issue in the Unix Bash (Bourne Again Shell) commonly used in Linux environments as well as Mac OS.
CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
CVE-2014-7169
This CVE describes the incomplete fix of CVE-2014-6271 in the first round of patches
For further information, please refer to the References section.
Due to the fact that Fabasoft products do not use CGI Scripts on Linux environments they are not directly affected by this vulnerability.
We strongly suggest you immediately install the latest patches for the bash executable on all systems!
All major Linux distribution have released patches, both for the original and the followup CVE. So far there are no known problems with either of these patches. As of writing this article the second patch has not yet been distributed to all patch mirrors, due to this it is advised to verify the version of the patch provided from your mirror.
First published: 09 May 2016
Last update: 25 November 2020
ID: FSC03839
Affected Components: Fabasoft Folio
Severity: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.4 (High)
Status: Final
CVEs: CVE-2016-3714 , CVE-2016-3718
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
For further information, please refer to the References section.
Currently it is possible to deactivate the vulnerable conversions by including the following lines in the <policymap> tag of your policy.xml for ImageMagick:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
Please be aware that adding the above lines will currently lead to an error while converting svg files.
The fixed ImageMagick library is shipped with Fabasoft Folio from these versions:
First published: 15 April 2015
Last update: 25 November 2020
ID:
Affected Components: Fabasoft Folio on Microsoft Windows Server 2008 R2, Microsoft Windows Server 2012 and R2
Severity: AV:N/AC:L/Au:N/C:C/I:C/A:C, Basic Score: 10.0 (High)
Status: Final
CVEs: CVE-2015-1635
This is an information regarding a security issue in the Windwos HTTP protocol stack (HTTP.sys) used in Windows Operating Systems. Most importantly this vulnerability affects the Internet Information System (IIS) Component of Windwos Server environments.
CVE-2015-1635
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Fabasoft Products
Our internal tests when using the KB3042553 provided by Microsoft have shown no negative effects on any of our products
We strongly recommend you to install the Microsoft KB3042553 Patch on all systems!
So far there are no known problems with this patch.
All Fabasoft products running on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2
Last update: 6 November 2020
This is an information regarding a security issue in Oracle Java SE (Standard Edition) and Oracle JRockit.
An undisclosed vulnerability has been found in Oracle Java SE (Standard Edition) and Oracle JRockit.
According to the Oracle Critical Patch Update Advisory - July 2014 this vulnerability applies to "...client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service."
For further information, please refer to the References section.
Although the CVE-2014-4244 vulnerability also applies to versions of Java SE 6 Update 75 (6u75) and earlier, the support for Java SE 6 has expired and new versions of Java SE 6 are only available through the Java SE Support program. Therefore, assistance with the upgrade of Java SE 6 can only be provided by your Oracle software vendor.
If you are using Java SE 7 Update 60 (7u60) or lower we recommend to update to Java SE 7 Update 65 (7u65), available from Oracle.
The Java binary is used in a wide range of Fabasoft products, including Fabasoft Folio, Fabasoft eGov-Suite and Fabasoft Mindbreeze.
Warning: Upgrading your Java SE version may lead to unexpected behaviour. Please test extensively before issuing the update on a productive system.
For all versions of Fabasoft Folio and Fabasoft eGov-Suite that support Java SE 7, no additional steps need to be taken after upgrading the Java SE version.
If you are using a version of Fabasoft Mindbreeze that supports Java SE 7, you need to apply a hotfix in addition to updating to Java SE 7 Update 65.
Note: If you require the aforementioned hotfix for your Fabasoft Mindbreeze installation, please contact Fabasoft Support.
Currently no versions of Fabasoft products require Java SE 8 in any affected version.
Last update: 6 November 2020
This is an information regarding a security issue in the OpenSSL library.
Notice: This is an urgency released article. Further information may be added, therefore please re-check for information updates.
A severe programming error has been identified in the OpenSSL library, which affects the most recent versions of the OpenSSL library. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
More information can be found at:
If you use SSL on your server for any service we strongly suggest that you make sure your server is not vulnerable, and if it is vulnerable that you apply the fixes which have already been provided by most operating system vendors.
The OpenSSL library is used in a wide range of Fabasoft products as well, including Fabasoft Folio, Fabasoft eGov-Suite, Fabasoft Mindbreeze and Fabasoft app.telemetry.
The IMAP Server functionality in the following Fabasoft Folio versions may be affected (both Microsoft Windows and Linux):
If you use Fabasoft IMAP Server in one of these listed versions, please contact Fabasoft Support to request a hotfix with an updated OpenSSL library.
Also other parts of Fabasoft Folio / Fabasoft eGov-Suite are using OpenSSL statically or included in a Fabasoft binary, but only for internal service communication, not for communication between users and Fabasoft Folio / Fabasoft eGov-Suite. Therefore the risk of the OpenSSL security issue is much lower in this area. Hotfixes with an updated OpenSSL library are available as listed above.
Fabasoft products and components installed on Linux operating systems are using the OpenSSL library of the operating system:
Fabasoft suggests to update all affected operating systems to the latest OpenSSL library. Fabasoft products installed under Microsoft Windows use the unaffected Microsoft SSL implementation.
First published: 6 November 2013
Last update: 6 November 2013
ID: -
Severity: (not measured)
Status: Final
CVEs: (unknown)
A security vulnerability was found in the Fabasoft Portlet for Liferay that can allow Cross Site Scripting, if an attacker modifies the URL in a special way.
An attacker can exploit this vulnerability to run JavaScript code on the client machine.
An article about the risks of cross-site scripting (XSS) can be found at Wikipedia.
Webservers and services in the backend are not affected by this vulnerability. No code execution can be done on these machines. Only client machines are at risk.
A hotfix for the portlet is available for the Fabasoft software versions listed below.
If you use a Liferay production environment in an insecure network (Internet), please open a ticket at Fabasoft Service Desk including your current Fabasoft Folio/eGov-Suite version.
On January 28th 2011 Microsoft has released the Security Advisory 2501696 concerning a MHTML Script Injection vulnerability in Microsoft Internet Explorer. In context of this Security Advisory and respectively KB 2501696 Microsoft released a FixIt to address this issue preliminary to an official hotfix. According to Microsoft the only side effects they have encountered are script execution and ActiveX being disabled within MHT documents.
As Microsoft expects limited impacts in most environments due to the changes mentioned above, exploratory tests have shown no impact on Fabasoft Folio or the Fabasoft eGov-Suite. These tests have been performed using
In general, Fabasoft Folio 2009 Fall Release (and higher) respectively Fabasoft eGov-Suite 8.0 (and higher) might not be affected as MHT is not used (e.g. for object-overviews) in these versions. As PDF-overviews are used instead we can't see an impact on these versions.
In contrast Fabasoft eGov-Suite 7.0 SP2 and SP3 used MHT e.g for file overviews and could be affected by this security enhancement by Microsoft. Nevertheless, no impact could be found in our basic tests using file-overviews and file-documentations.
Please note that no comprehensive regression testing has been performed. This information is provided "as is" with no warranties. We suggest further testing in your environment if you are planning to deploy this security enhancement.