This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope/Plone service.
Versions Affected: Plone 4.0 (through 4.0.9); Plone 4.1; Plone 4.2 (a1 and a2); Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Versions of Plone that use Zope other than Zope 2.12.x and Zope 2.13.x.
This is a pre-announcement. Due to the severity of this issue we are providing an advance warning of an upcoming patch, which will be released on this page at 2011-10-04 15:00 UTC.
What you should do in advance of patch availability
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details. This is to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public, we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.
Meanwhile, we STRONGLY recommend that you take the following steps to protect your site:
- Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories.
- Use an intrusion detection system that monitors key system resources for unauthorized changes.
- Monitor your Zope, reverse-proxy request and system logs for unusual activity.
In this case, these are standard precautions that should be employed on any production system.
Extra help
Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.
There is also free support available online via Plone mailing lists and the Plone IRC channels.
Questions and Answers
Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2011-10-04 15:00 UTC.
Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Plone Security team.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time. There are no exceptions.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is made available.
Q: Is there a CVE record for this vulnerability?
A: Not yet. This information will be added when available.
General questions about this announcement, Plone patching procedures, and availability of support may be addressed to the Plone support forums. If you have specific questions about this vulnerability or its handling, contact the Plone Security Team.
To report potentially security-related issues, please send a mail to the Plone Security Team at security@plone.org. The security team is always happy to credit individuals and companies who make responsible disclosures.
Information for vulnerability database maintainers
CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)
Impact Subscore
6.4
Exploitability Subscore
10
CVSS Temporal Score
5.9
Credit
Alan Hoey