Six Feet Up Available to Help Patch Zope Security Vulnerability Affecting Plone
November 02, 2012
The Plone and Zope Security teams have announced the discovery of a critical vulnerability affecting Zope and sites powered by all versions of Plone. The vulnerability allows privilege escalation, potentially allowing users to gain elevated access to resources that are normally protected from an application or user and possibly perform unauthorized actions.
Due to the severity of this issue, the Plone Security Team is providing an advance warning of an upcoming patch, which will be released at 15:00 UTC (10:00am US EDT) on Tuesday, November 6th, 2012.
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details, to ensure that concerned users can plan around the release. As the fix being published will make the details of the vulnerability public, we are recommending that all of our clients schedule time to apply the patch to their websites as soon as it becomes available.
You may also want to protect your site by putting it in maintenance mode at the time of the announcement of the vulnerability details on Tuesday and until the patch is applied to your site to prevent any possible exploit. Maintenance mode means that the site is offline and a maintenance page displays to visitors if you have one available. Please contact us ASAP if you'd like us to place your website in maintenance mode or assist you in doing so.
For more details, please visit the Plone website.
Questions and Answers
Q: When will the patch be made available?
A: The Plone Security Team will release the patch at 2012-11-06 at 10:00am US EST.
Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.
Q. Will there be any downtime when the patch is applied?
A. Your site will go down briefly while the instance is restarted. This should be a matter of minutes.
Q: How were these vulnerability found?
A: The majority of issues were found as part of audits performed by the Plone Security team. A subset were reported by users. More details will be available upon release of the patch.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time. There are no exceptions.
Q: If the patch has been developed already, why isn't it made available to the public now?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: This information will not be made public until after the patch is made available.
Q: Who can apply the patch?
A: Your Plone development team can perform the work. Please email firstname.lastname@example.org for details and/or to schedule the work. Requests will be addressed and work scheduled based on the order in which requests are received. Please email email@example.com if you run into issues or questions when patching the site yourself.