Bug #1424755 “Org Unit Setting View Permissions Can Be Bypassed” : Bugs : Evergreen

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2015-02-24:

#1

This is a serious security bug in Evergreen that allows unauthenticated users to retrieve sensitive information remotely. This information could include email addresses and/or account information for 3rd party products that integrate with Evergreen.

Evergreen is patched as of releases 2.5.9, 2.6.7, 2.7.4, and 2.8.0-beta. All prior releases are vulnerable to this remote exploit.

It is extremely important that if you cannot upgrade at this time that you patch your Evergreen to protect against this exploit. To that end, a patch is being supplied that you can apply to a running system. In order to secure your system, you must download this patch, copy it to each of your Evergreen servers, at least any that run open-ils.actor services. You will need to perform the following steps on each server to completely patch your system.

First, you must find where the Actor.pm module is located. This is usually under /usr/local somewhere. The following command will find it for you:

find /usr/local -name Actor.pm

On an Ubuntu 12.04 system, the above prints out "/usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm" so we will use that as our example, just be sure that when you do this for real, you use the actual path printed by the above command. If it prints nothing, you will need to check other locations.

Once you have the path, you can run the patch command. Assuming that you are in the directory where you put the patch file, the following command should apply the patch:

sudo patch /usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm lp1424755.patch

Unless you have made local edits to the affected file, the patch should apply cleanly.

After you have applied the patch, you will need to restart the open-ils.actor services. You do this by running osrf_control with the appropriate options:

osrf_control [--localhost] --restart --service open-ils.actor

The --localhost is in brackets because you may or may not need it. Your system administrator should know if you do or not. If you do need it, remove the brackets. If you don't need it, then omit the option entirely.

This is a serious security bug in Evergreen that allows unauthenticated users to retrieve sensitive information remotely. This information could include email addresses and/or account information for 3rd party products that integrate with Evergreen.

Evergreen is patched as of releases 2.5.9, 2.6.7, 2.7.4, and 2.8.0-beta. All prior releases are vulnerable to this remote exploit.

It is extremely important that if you cannot upgrade at this time that you patch your Evergreen to protect against this exploit. To that end, a patch is being supplied that you can apply to a running system. In order to secure your system, you must download this patch, copy it to each of your Evergreen servers, at least any that run open-ils.actor services. You will need to perform the following steps on each server to completely patch your system.

First, you must find where the Actor.pm module is located. This is usually under /usr/local somewhere. The following command will find it for you:

find /usr/local -name Actor.pm

On an Ubuntu 12.04 system, the above prints out "/usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm" so we will use that as our example, just be sure that when you do this for real, you use the actual path printed by the above command. If it prints nothing, you will need to check other locations.

Once you have the path, you can run the patch command. Assuming that you are in the directory where you put the patch file, the following command should apply the patch:

sudo patch /usr/local/share/perl/5.14.2/OpenILS/Application/Actor.pm lp1424755.patch

Unless you have made local edits to the affected file, the patch should apply cleanly.

After you have applied the patch, you will need to restart the open-ils.actor services. You do this by running osrf_control with the appropriate options:

osrf_control [--localhost] --restart --service open-ils.actor

The --localhost is in brackets because you may or may not need it. Your system administrator should know if you do or not. If you do need it, remove the brackets. If you don't need it, then omit the option entirely.

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2015-02-24:

#2

The patch for this bug. Edit (2.8 KiB, text/plain)

The patch described in comment #1.

Revision history for this message

Ben Shum (bshum) wrote on 2015-02-27:

#3

Marking targets for security releases.

Changed in evergreen:
milestone:	none → 2.8-beta

Galen Charlton (gmc) on 2015-03-03

information type:	Private Security → Public Security
Changed in evergreen:
status:	Confirmed → Fix Committed

Evergreen Bug Maintenance (bugmaster) on 2015-04-02

Changed in evergreen:
status:	Fix Committed → Fix Released

	Status	Importance	Assigned to	Milestone
Evergreen	Fix Released	Critical	Unassigned	Evergreen 2.8-beta
2.5	Fix Released	Critical	Unassigned	Evergreen 2.5.9
2.6	Fix Released	Critical	Unassigned	Evergreen 2.6.7
2.7	Fix Released	Critical	Unassigned	Evergreen 2.7.4

Evergreen

Org Unit Setting View Permissions Can Be Bypassed

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches