SECURITY ADVISORY
- PUBLISHED:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSIONS:
- REFERENCE:
- August 18, 2022
- Security Patch Release
- MEDIUM
- OTOBO 10.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-4427
Description
Problem
We’re again, as as as that,2013 fix vulnerabilities that would have allowed attackers with OTOBO administrator privileges to escalate their privileges.
- In systems where ConfigLevel settings were in use, it was possible for OTOBO administrators or attackers with OTOBO administrator privileges to bypass these restrictions.
- OTOBO administrators or attackers with OTOBO administrator privileges could execute Perl code via the ACL module.
Many thanks to Tim Püttmann (maxence) who brought these vulnerabilities to our attention.
Potential consequences
- Unauthorized execution of Perl code.
- Bypassing of permission restrictions.
Measures for secure operation
Update to OTOBO 10.1.5
A security patch update is available to fix the vulnerability. Please update your system.
Bug Fixes
- Update of JavaScript libraries (for manual adjustments in SysConfig, see below)
- Bug fix: Calendar entries were not visible when session cookies were disabled
- Update of S/MIME handling for newer OpenSSL versions (e.g. Ubuntu 22.04)
- Note: Some historical algorithms for certificates have been removed
- Bug fix: ProcessWidgetDynamicFields overwrote settings for dynamic fields in AgentTicketZoom
- Update of S3 support
- Bug fix: Correction of access restrictions for certain subactions in the customer area
- Bug fix: Correct hiding of a single selected queue via Autoselect
- Translation of links displayed in the footer
- Bug fix: Correction of path for systems without their own template in Kerberos
- Bug fix: Tickets were locked when following up, even if root@localhost was set as owner
- Bug fix: Error in OTOBO role synchronization to LDAP groups fixed
Notes on changed SysConfig options
JavaScript
As already done in OTOBO 10.1.3, JavaScript libraries have been updated again with this patch.
These are set in the SysConfig options “Loader::Agent::CommonJS###000-Framework” and “Loader::Customer::CommonJS###000-Framework”.
If these options were manually adjusted via SysConfig (which we do not recommend), an automatic update will not be possible.
Please note the adjustments made in this case, reset the setting, perform the update, and manually readjust the option as needed afterwards.
We’ll be happy to clarify your questions. Contact us.
You’re a support customer and need assistance with the security patch. Please contact us through your access in the support portal.
Downloads
Company
OTOBO | Empower Service Excellence to Make People Smile.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
