Six Feet Up Available to Help Patch Zope Security Vulnerability Affecting Plone
June 22, 2011
The Plone and Zope Security teams have announced the discovery of a highly serious vulnerability in Zope which affects Zope and Plone 2.5 to Plone 4. The vulnerability allows privilege escalation, potentially allowing users more access to a site than they have been assigned.
Due to the severity of this issue, the Plone Security Team is providing an advance warning of an upcoming patch, which will be released at 15:00 UTC (11:00am US EDT) on Tuesday, June 28th, 2011.
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public we are recommending that all users plan a maintenance window for 30 minutes either side of the announcement where your site is completely inaccessible in which to install the fix.
For more details, please visit the Plone website.
Questions and Answers
Q: When will the patch be made available?
A: The Plone and Zope Security Teams will release the patch at 15:00 UTC (11:00am US EDT) on Tuesday 28th June, 2011.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Zope and Plone Security teams.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone, even Plone Foundation Members and Board members.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: For obvious security reasons, the information will not be made available until after the patch is made available.
Q: Are there any third-party products I can use to protect my site until the patch is available?
Q: Will making my database read-only protect my site?
A: This will not protect against unauthorized data access.
Q: Who can apply the patch?
A: Your Plone development team can perform the work. In addition, Six Feet Up is available to install and test the patch on your staging and production instances. Please email email@example.com for details. Requests will be addressed and work will be scheduled in the order that they are received.