Security vulnerability announcement: CVE-2011-2528 – Privilege escalation

by Laurence Rowe last modified Aug 01, 2011 09:59 AM
A highly serious vulnerability in Zope that allows unauthorised access

The fix  was released at 15:00 UTC on Tuesday 28th June, 2011.

Full installation instructions.

Who should apply the patch

  • Plone 4.x users must apply this patch or update to Zope2 2.12.19 (Plone 4.0) or 2.13.8 (Plone 4.1).
  • Zope 2.12/2.13 users must apply this patch or update to Zope2 2.12.19 or 2.13.8.
  • Plone 3.x users: the vulnerability was inadvertently backported by the previous hotfix http://plone.org/products/plone-hotfix/releases/CVE-2011-0720 (PloneHotfix20110720). Plone 3.x users should install both PloneHotfix20110720 and this hotfix to make sure that they are protected against both sets of vulnerabilities.
  • Zope 2.10/2.11 users who are not using Plone: Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected by this vulnerability, and should not apply the patch. You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8  and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 which include fixes for the vulnerabilities in CVE-2011-0720. Please make sure that you have not installed PloneHotfix20110720; remove it if you have.

Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites.

Extra help

Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies under the providers section.

There is also free support available online.

Questions and Answers

Q: When will the patch be made available?

A: The Plone and Zope Security Teams released the patch at 15:00 UTC (11:00am US EDT) on Tuesday 28th June, 2011.

Q: How was this vulnerability found?

A: This issue was found as part of a routine audit performed by the Zope and Plone Security teams.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?

A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.

Q: If the patch has been developed already, why isn't it already made available to the public?

A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?

A: For obvious security reasons, the information will not be made available until after the patch is made available.

Q: Are there any third-party products I can use to protect my site until the patch is available?

A: No.

Q: Will making my database read-only protect my site?

A: This will not protect against unauthorized data access.

Q: What is the hotfix package be named?

A: Products.Zope_Hotfix_20110622

Q: I already applied version 1.0 of the hotfix to my site. Do I need to install version 1.0-release2 now?

A: No. The code has not changed. The 1.0 release included a __MACOSX resource fork which was confusing for non Mac OS X users.

Q: I see "ImportError: No module named traversing" on startup after installing the hotfix.

You have installed the hotfix onto a Plone 2.5 or Zope 2.8/2.9 site. The Hotfix is not required; you should remove it.