The Plone and Zope Security teams have announced the discovery of a highly serious vulnerability in Zope which affects Zope 2.12.x, Zope 2.13.x and Plone 4.x.
This vulnerability allows an anonymous attacker to carefully craft a URL enabling them to execute code on your server posing as the user that is running your Zope/Plone service. Due to the severity of this issue, the Plone Security Team is providing an advance warning of an upcoming patch, which will be released at 15:00 UTC (11:00am US EDT) on Tuesday, October 4th, 2011.
Due to the nature of the vulnerability, the security team has decided to pre-announce that a fix is upcoming before disclosing the details in order to ensure that affected users can plan around the patch release. As the fix being published will make the details of the vulnerability public, we are recommending that all users who are applying their own patches plan a maintenance window for 30 minutes either side of the announcement where the site is completely inaccessible in order to install the fix safely.
Questions and Answers
Q: When will the patch be made available?
A: The Plone and Zope Security Teams will release the patch at 15:00 UTC (11:00am US EDT) on Tuesday, October 4th, 2011.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Zope and Plone Security teams.
Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: The Security Team has made the decision to not allow any early release of this patch so as to reduce the risks of exploitation. This decision applies to everyone.
Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Plone installation(s). Some consultancy and hosting organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.
Q: What you should do in advance of patch availability?
A: The Plone Security team STRONGLY recommends that you take the following steps to protect your site if you are installing this patch yourself.
- Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories.
- Use an intrusion detection system that monitors key system resources for unauthorized changes.
- Monitor your Zope, reverse-proxy request and system logs for unusual activity. In this case, these are standard precautions that should be employed on any production system.
Q: How does one exploit the vulnerability?
A: For obvious security reasons, the information will not be made available until after the patch is made available
Q: Are there any third-party products I can use to protect my site until the patch is available?
A: No.
Q: Will making my database read-only protect my site?
A: This will not protect against unauthorized data access.
Q: Who can apply the patch?
A: Your Plone development team can perform the work. In addition, Six Feet Up is available to install and test the patch on your staging and production instances. Please email support@sixfeetup.com for details. Requests will be addressed and work scheduled in the order that they are received.
