20131210 - Pre-announcement of hotfix

by Matthew Wilkes last modified Dec 10, 2013 02:50 PM
In keeping with our new policy of 4-monthly hotfixes, we are announcing the planned release of a security fix on Tuesday 10th December 2013.

CVE numbers not yet issued.

Versions Affected: All current Plone versions.

Versions Not Affected: None.

The patch will be released at 2013-12-10 15:00 UTC.

Release

This hotfix has now been released More info

Preparation

This is a pre-announcement of availability of this security fix. As of now, there are no active exploits in the wild. However, after the fix will become public, attackers might use this information to create exploits. Therefore, we are recommending that all Plone site administrators plan a maintenance window of 60 minutes following the release of the fix to install it.

If you are unable to have an administrator available at the time of release, you should consider alternatives. If your site is running on a protected intranet, make sure your firewall procedures are up to date. If your site is reachable from the internet, putting it in read-only mode until an administrator can apply the fix will mitigate risks, at the cost of limiting functionality (Logging into a site won't work properly). In all cases, make sure to apply the fix as early as possible.

Standard security advice

  • Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. Plone sites installed through our installers already do this.
  • Use an intrusion detection system that monitors key system resources for unauthorized changes.
  • Monitor your Zope, reverse-proxy request and system logs for unusual activity.
  • Make sure your administrator stays up to date, by following the special low-volume Plone Security Announcements via email, RSS and/or Twitter

These are standard precautions that should be employed on any production system, and are not tied to this fix.

Extra Help

If you don't have in-house server administrators, a hosting service, or a service agreement with a service provider who can handle the installation of this patch, there is free support available via Plone mailing lists and the Plone IRC channels. You can also find companies who can help with this by visiting the Plone Service Providers listing.

Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2013-12-10 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the products folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

Q: How were these vulnerabilities found?
A: The majority of issues were found as part of audits performed by the Plone Security team. A subset were reported by users. More details will be available upon release of the patch.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all administrators at the same time. There are no exceptions.

Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch against a wide variety of configurations and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.

General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.

To report potentially security-related issues, e-mail the Plone Security Team at security@plone.org. We are always happy to credit individuals and companies who make responsible disclosures.

Information for Vulnerability Database Maintainers

We will issue individual advice on each issue, including CVSS2 and CWE identifiers when the patch is released. We currently do not have CVE numbers assigned, but are in the process of applying.