Most Plone installations are not vulnerable and do not need the hotfix. Please read this announcement carefully for instructions on how to determine whether or not you need to apply the hotfix.
The announced vulnerability is in Zope's default authentication system. When a Plone site is installed in a Zope database, the Plone installation usually replaces the basic Zope authentication system with the Pluggable Authentication System (PAS). PAS is not vulnerable to this problem.
You may verify that you are using PAS by using the Zope Management Interface to examine the acl_users object in the root of your Zope database.
If the title of the object reads "User Folder at /acl_users", your system is vulnerable and you should apply the hotfix.
If the title of the object reads "Pluggable Auth Service at /acl_users", your system is not vulnerable.
Versions Affected: Zope 2.12.x <= 2.12.20 and Zope 2.13.x <= 2.13.10 that do not have the Pluggable Authentication System installed.
Versions Not Affected: Zope installations where Plone installation has replaced the Zope baseline authentication system.
See the Zope Hotfix Announcement for details on installing the hotfix.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.
To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org. The security team is always happy to credit individuals and companies who make responsible disclosures.
]]>Full installation instructions.
This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope/Plone service.
CVE-2011-3587
Versions Affected: Plone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope 2.12.x and Zope 2.13.x.
This is a pre-announcement. Due to the severity of this issue we are providing an advance warning of an upcoming patch, which will be released on this page at 2011-10-04 15:00 UTC.
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details. This is to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public, we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.
Meanwhile, we STRONGLY recommend that you take the following steps to protect your site:
In this case, these are standard precautions that should be employed on any production system.
Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.
There is also free support available online via Plone mailing lists and the Plone IRC channels.
Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2011-10-04 15:00 UTC.
Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Plone Security team.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time. There are no exceptions.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is made available.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.
To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org. The security team is always happy to credit individuals and companies who make responsible disclosures.
CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)
Impact Subscore
6.4
Exploitability Subscore
10
CVSS Temporal Score
5.9
Credit
Alan Hoey
Full installation instructions.
Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites.
Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies under the providers section.
There is also free support available online.
Q: When will the patch be made available?
A: The Plone and Zope Security Teams released the patch at 15:00 UTC (11:00am US EDT) on Tuesday 28th June, 2011.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Zope and Plone Security teams.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: For obvious security reasons, the information will not be made available until after the patch is made available.
Q: Are there any third-party products I can use to protect my site until the patch is available?
A: No.
Q: Will making my database read-only protect my site?
A: This will not protect against unauthorized data access.
Q: What is the hotfix package be named?
A: Products.Zope_Hotfix_20110622
Q: I already applied version 1.0 of the hotfix to my site. Do I need to install version 1.0-release2 now?
A: No. The code has not changed. The 1.0 release included a __MACOSX resource fork which was confusing for non Mac OS X users.
Q: I see "ImportError: No module named traversing" on startup after installing the hotfix.
You have installed the hotfix onto a Plone 2.5 or Zope 2.8/2.9 site. The Hotfix is not required; you should remove it.
]]>As such, we have released version 2.0 of this fix which contains a tighter check for potential attacks, which is available at http://plone.org/products/plone-hotfix/releases/20110531. If you have already installed Hotfix20110531 on Plone 4 you need to update to version 2.0. For Plone 3.x and Plone 2.x, if Hotfix20110531 is not yet installed you should install version 2.0. If you have version 1.0 of Hotfix20110531 installed on Plone 3.x or 2.x you do not need to upgrade.
For those who used buildout to install the fix all that needs be done is for it to be re-run to pick up the latest versions.
We apologise for the inconvenience this has caused; we will be doing a postmortem on this fix to further improve our security patch release procedures in the coming weeks.
]]>As this vulnerability was disclosed publicly it is highly recommended that all site administrators and their privileged users reset their passwords.
The Hotfix for this vulnerability is Hotfix 20110531.
6.8
Impact Subscore6.9
Exploitability Subscore8
Overall CVSS Score6.8
]]>This vulnerability was discovered and responsibly disclosed by Daniel Berlin and Dan Bentley, both of Google, and independently by Brian Peters, an independent researcher.
The Hotfix for this vulnerability is Hotfix 20110531.
6.4
Impact Subscore4.9
Exploitability Subscore10
Overall CVSS Score6.4
]]>
This vulnerability was responsibly disclosed by J. Greil after discovery by S. Streichsbier, both of SEC Consult.
The Hotfix for this vulnerability is Hotfix 20110531.
5
Impact Subscore2.9
Exploitability Subscore10
Overall CVSS Score5
]]>All versions of Plone since 2.5 are affected, viz. 2.5, 3.0, 3.1, 3.2, 3.3, 4.0; including all minor and development revisions of these versions. Plone versions prior to 2.5, including Plone 1.0, Plone 2.0 and Plone 2.1 are not affected.
The fix was released at 1621 UTC on Tuesday 8th February.
Full installation instructions.
Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.
There is also free support available online.
Due to the nature of the vulnerability, the security team decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.
We recommended to people that could not have a scheduled downtime that they take one of the following steps to protect their site from before the announcement until you apply the fix:
These did not need to be in place for the entire week but should already be in place before the fix and vulnerability details are released next week. By preventing modifications to your site and patching your site quickly you remove the incentive for potential attackers to attempt this attack.
Q: When will the patch be made available?
A: It is available now! The Plone Security Team released the patch at 16:21 GMT (11:21am US ET) on Tuesday February 8th, 2011.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Plone Security team.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: For obvious security reasons, the information will not be made available until after the patch is made available.
Q: How can I be sure my website hasn't already been compromised?
A: Yes, there is a script which will check your zope or apache log files for suspicious activity. Download it then run it as: python logchecker.py /path/to/your/instance-Z2.log
Q: Are there any third-party products I can use to protect my site until the patch is available?
A: No.
Q: I already applied version 1.0 of the hotfix to my site. Do I need to install version 1.1 now?
A: You only need version 1.1 of the hotfix if you got exceptions when trying to use version 1.0. Version 1.1 fixes 2 minor installation edge cases but does not change the nature of the fix that is applied.
The fix is included in an update of PortalTransforms.
Alan Hoey of Team Rubber found a bug in the html filtering of all Plone versions. Users who can create content can exploit this flaw to circumvent the normal HTML filtering.
This issue has been assigned the number CVE-2010-2422.
All Plone releases since 2.1 are affected.
To install this hotfix download and unzip the distribution and add the directory PloneHotfix20100612 to your instance products directory. If the hotfix has been successfully added you will see the following message when starting the instance in foreground mode:
2010-06-12 23:54:28 INFO PloneHotfix20100612 safe_html patched
Although this hotfix will work with any version of Plone, users of Plone 3.2 to Plone 3.3.5 should instead add the following to their buildout configuration files and re-run buildout:
[versions] Products.PortalTransforms = 1.6.12
There will be no confirmation message on start-up, so the presence of the fix can be verified by checking the version number of PortalTransforms in the Zope Control Panel.
No incidents of this vulnerability being exploited have been reported.
Karen Chan of Isotoma Limited found a bug in the login form handling of Plone 3.x. An already authenticated user could exploit this error and assume the identity of another user.
This issue has been assigned CVE-2009-0662.
All Plone 3.x releases are affected.
Plone 2.5 and earlier releases are not affected.
If you are using Plone 3.0.x or 3.1.x you can download and install a new PlonePAS product release. The product can be installed as a normal Plone product:
If you're using Plone 3.0 or Plone 3.1 with buildout you can update the productdistros section of your buildout.cfg to download the hotfix for you, as follows:
[productdistros]
recipe = plone.recipe.distros
urls =
http://plone.org/products/plonepas/releases/3.2.2/PlonePAS-3.2.2.tar.gz
nested-packages =
version-suffix-packages =
[productdistros]
recipe = plone.recipe.distros
urls =
http://plone.org/products/plonepas/releases/3.9/PlonePAS-3.9.tar.gz
nested-packages =
version-suffix-packages =
If you are using Plone 3.2.x you should use the Products.PlonePAS 3.9 egg release.
If you are using buildout you can update the version pin for this package by adding this entry to your buildout.cfg file:
[versions] Products.PlonePAS = 3.9
If your buildout.cfg already has a "[versions]" part, just add the "Products.PlonePAS = 3.9" line. If there is no "[versions]" section, just add one to the end of your buildout.cfg file.
After making this change you need to stop Zope, run bin/buildout, and restart Zope.
If you are not using buildout you can use the easy_install command to install an updated version of Products.PlonePAS:
$ easy_install -U Products.PlonePAS==3.9
Restart Zope.
No incidents of this vulnerability being exploited have been reported.
A framework to protect Plone against CSRF attacks has been developed in the form of PLIP 224 for Plone 3.1 and is available for Plone 3.0 via Plone Hotfix CVE-2008-0164. For older versions of Plone (i.e. the 2.x and 1.0 series), please upgrade. If you are unable to upgrade, see the Temporary Workaround section below.
This issue has been assigned CVE-2008-0164.
All Plone releases are affected.
Plone 3.1 and later includes a fix for this issue, and does not need this hotfix.
If you are using Plone 3.0.x you can download and install Plone Hotfix CVE-2008-0164. The hotfix can be installed as a normal Plone product:
If you can't upgrade your sites to the latest version of Plone yet, there are some simple steps you can take to make sure you are not affected by this vulnerability.
The most important thing to understand is that this vulnerability is not remotely exploitable — i.e. it requires you to take a particular action, and a targeted attack for you to be exposed. Thus, you can make sure you are not affected by this quite easily:
Only log in as the administrator user when you really need to,
and log out when you are done. Do not visit untrusted web sites
(especially in other tabs of the same browser) while you are logged in
to your Plone site as an administrator. Try to limit browsing of
untrusted sites even when you are logged in as a normal user.
As long as you do not visit other sites while operating your Plone site, this vulnerability cannot affect you. Plone has built-in protection against this since version 2.1 for the Plone site itself, so you only need to worry about visiting non-Plone sites that do not filter out malicious HTML. (But double check that you haven't manually turned off HTML filtering in your site to allow risky HTML like forms and Javascript).
If your habit is to browse your site logged in as an administrator, we encourage you to create a normal user for this instead, and only use the admin account when you really need to.
The real fix is of course to upgrade Plone to the latest release as soon as possible.
plone.protect and plone.keyring modules for making use of this in your own applications.No incidents of this vulnerability being exploited have been reported.
These fixes will be included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.
If an updated Plone is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2007-11-06. The hotfix can be installed as a normal Zope product:
The upcoming releases of Zope will have this fix included, in the meantime, please download the hotfix for your installations. Unpack the product and restart Zope, and the vulnerability will be patched.
You are only affected by this vulnerability if you allow untrusted users to log in to your site and create content.
This news item will be updated once a CVE number has been assigned.
]]>Plone versions 1.0.x, 2.0.x and 2.1.x are NOT affected unless you have separately installed PlonePAS and have not configured a prefix property on the source_groups plugin.
This vulnerability only applies to sites which allow member registration to anonymous users.
If Plone 2.5.2 is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2006-10-31. The hotfix can be installed as a normal Zope product:
No incidents of this happening to sites in the wild have been reported.
Affected Plone versions are: