The Plone Foundation Announces Patch for Security Vulnerabilities
June 02, 2011
The Plone Security Team has announced four recently discovered vulnerabilities in the Plone content management system. The Security Team has provided a patch for Plone sites running versions 2.5 - 4. Sites using Plone versions prior to 2.4 are effected by the security issues, but are no longer supported by the community and no patch will be provided. Sites running these older, unsupported versions of Plone should be updated to a newer version that is covered by the patch.
The Plone Security Team recommends all Plone developers and site admins update their Plone instances as soon as possible. The hotfix addresses the following 4 issues:
- CVE-2011-1950 – An escalation of privileges attack
Description: This vulnerability in plone.app.users affects Plone 4.0 and 4.1 and makes it possible for an authenticated Plone user to edit the properties of other users, bypassing authorization checks.
- CVE-2011-1949 – A persistent cross site scripting vulnerability
Description: This is a vulnerability in Plone versions using Products.PortalTransforms, including Plone 2.1 through 4.1. It allows an authenticated user to craft markup that bypasses Plone's safe_html filter to insert and save arbitrary HTML with malicious content.
- CVE-2011-1948 – A reflected cross site scripting vulnerability
Description: This vulnerability allows specially crafted URLs to return arbitrary content in all Plone versions.
- Denial of service: A user can prevent other users from logging in.
Description: This is a vulnerability in Products.PluggableAuthService that affects all versions of Plone that use it, including 2.5 through 4.1.
1) When will the patch be available ?
The Plone Security Team made the patches available June 1st, 2011.
2) What versions of Plone are supported by the path?
The hotfix is supported on Plone 3 and 4. It is also known to work on Plone 2.5, and may work on older versions of Plone.
3) Will the patches be released in a future version of Plone?
The fixes included will be incorporated into subsequent releases of Plone, so Plone 4.0.7, 4.1rc3, and greater will not require this hotfix.
4) How complex is the update?
Fixing the security issue will be done by installing a hot fix. This will necessitate a restart of the instance. The site may be down for a few minutes while the restart occurs.
5) How is the patch applied?
No existing code will be changed. Instead, a package will be added, via either buildout or a drop-in Plone add-on product, that will patch the vulnerability. This patch will be included in future versions of Plone, so, once you upgrade, you may remove this hot fix.
6) Can I install the patch myself?
Your Plone development team can perform the work. Installation instructions for the hotfix can be found at: http://plone.org/products/plone-hotfix/releases/20110531
7) Can Six Feet Up install the patch for my sites?
Six Feet Up is available to install the patch on your staging and production instances. We are monitoring the announcements by the Plone community and sending updates to our clients with recommendations regarding security issues. Please contact Carol Ganz with any questions.