Six Feet Up Available to Help Patch Plone Security Vulnerability
February 01, 2011
The Plone Security team has announced they have found a critical vulnerability in Plone 2.5 to Plone 4 that basically allows anonymous users to elevate their privileges to the manager role, the equivalent of giving someone root access to the site. This allows anonymous users to have access to viewing unpublished content, creating new content and modifying a site's look and feel.
Due to the severity of this issue, the Plone Security Team is providing an advance warning of an upcoming patch, which will be released at 11am US ET (16:00 GMT) on Tuesday February 8th, 2011.
As the fix being published will unveil the details of the vulnerability, it is STRONGLY recommended you plan on running the patch immediately after that.
If you cannot patch your site right away, the Plone Security Team recommends that you protect your site from the moment the patch is unveiled and until you can apply the patch:
1 - Make your database read-only.
2 - Disable logins by filtering HTTP authentication and cookies in Apache or Varnish.
For more details, please visit the Plone website.
1) When will the patch be available ?
The Plone Security Team is planning on making the patch available at 1600 GMT (11am US ET) on Tuesday 8th February 2011. Once it is available, your site will need to be either patched or protected immediately.
2) How complex is the update?
Fixing the security issue will be done by applying a patch. It shouldn't take long. This will necessitate a restart of the instance. The site may be down for a few minutes while the restart occurs.
3) What kind of testing is required ?
We recommend running the patch on your staging instance and running automated (if available) or at least manual tests on both your staging and your production instances.
4) How is the patch applied?
No existing code will be changed. Instead, a package will be added, via either buildout or a drop-in Plone add-on product, that will patch the vulnerability until a new full release of Plone is available. Once it is available, we recommend you upgrade your site.
5) Who can apply the patch?
Your Plone development team can perform the work. In addition, Six Feet Up is available to install and test the patch on your staging and production instances. Please email firstname.lastname@example.org for details. Requests will be addressed and work will be scheduled in the order that it is received.