-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Zope security response team is pre-announcing a fix for a vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of arbitrary code by anonymous users.
This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope service. Versions Affected: Zope 2.12.x and Zope 2.13.x. Versions Not Affected: Zope 2.9.x, Zope 2.10.x, Zope 2.11.x This is a pre-announcement. Due to the severity of this issue we are providing an advance warning of an upcoming patch, which will be released 2011-10-04 15:00 UTC. What you should do in advance of patch availability =================================================== Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details. This is to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public, we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix. Meanwhile, we STRONGLY recommend that you take the following steps to protect your site: - - Make sure that the Zope service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories. - - Use an intrusion detection system that monitors key system resources for unauthorized changes. - - Monitor your Zope, reverse-proxy request and system logs for unusual activity. In this case, these are standard precautions that should be employed on any production system. Extra help ========== Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net. There is also free support available online via Zope mailing lists and the #zope IRC channels. Questions and Answers ===================== Q: When will the patch be made available? A: The Security Team will release the patch at 2011-10-04 15:00 UTC. Q. What will be involved in applying the patch? A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish. Q: How was this vulnerability found? A: This issue was found as part of a routine audit performed by the Plone Security team. Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date? A: No. The patch will be made available to all users at the same time. There are no exceptions. Q: If the patch has been developed already, why isn't it already made available to the public? A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Zope installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients. Q: How does one exploit the vulnerability? A: This information will not be made available until after the patch is made available. Q: Is there a CVE record for this vulnerability? A: Not yet. This information will be added when available. If you have specific questions about this vulnerability or its handling, contact the Zope Security Team, security-respo...@zope.org. To report potentially security-related issues, please send a mail to the Zope Security Team at security-respo...@zope.org. The security team is always happy to credit individuals and companies who make responsible disclosures. Information for vulnerability database maintainers ================================================== CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C) Impact Subscore 6.4 Exploitability Subscore 10 CVSS Temporal Score 5.9 Credit Alan Hoey Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6DlaMACgkQ+gerLs4ltQ7D+gCgz6WA6J44vxkhjnJGquBzCR33 nPgAn3cl0/do5VB+B6h9WmM22yIGOb7Z =/HcQ -----END PGP SIGNATURE----- _______________________________________________ Zope-Announce maillist - Zope-Announce@zope.org https://mail.zope.org/mailman/listinfo/zope-announce Zope-Announce for Announcements only - no discussions (Related lists - Users: https://mail.zope.org/mailman/listinfo/zope Developers: https://mail.zope.org/mailman/listinfo/zope-dev )