Security vulnerability announcement: CVE 2011-3587

This is a severe vulnerability that allows an unauthenticated attacker to employ a carefully crafted web request to execute arbitrary commands with the privileges of the Zope service.

CVE-2011-3587

Versions Affected: Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.11.x, Zope 2.10.x and prior Zope versions

The hotfix was released at 2011-10-04 15:00 UTC.

Note that the Plone community has also released a different hotfix today, which closes an additional Plone specific security issue. If you are using Plone, please refer to http://plone.org/products/plone/security/advisories/20110928.

Installation

You can either install the hotfix as an egg release from http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as an old-style product release available from http://download.zope.org/Zope2/hotfixes/Zope_Hotfix_CVE_2011_3587-v10.tar.gz. Alternatively you can upgrade to the latest bugfix release of Zope. Versions 2.12.20 and 2.13.10 include the fix for this vulnerability.

If you are using buildout to install the egg based version, in a versions section, you have to use hyphen instead of underscores: Products.Zope-Hotfix-CVE-2011-3587 = 1.0

Extra help

Should you not have in-house server administrators or a service agreement looking after your website you can find consultancy companies on plone.net.

There is also free support available online via Zope mailing lists and the #zope IRC channels.

Questions and Answers

Q: When will the patch be made available?
A: The Security Team will release the patch at 2011-10-04 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be unpacked into the “products” folder of a buildout installation and as Python packages that may be installed by editing a buildout configuration file and running buildout. Patching is generally easy and quick to accomplish.

Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the Plone Security team.

Q: My site is highly visible and mission-critical. I hear the patch has already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time. There are no exceptions.

Q: If the patch has been developed already, why isn't it already made available to the public?
A: The Security Team is still testing the patch and running various scenarios thoroughly. The team is also making sure everybody has appropriate time to plan to patch their Zope installation(s). Some consultancy organizations have hundreds of sites to patch and need the extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is made available.

Q: Is there a CVE record for this vulnerability?
A: Yes, it is CVE-2011-3587

Q: What is the hotfix package named?

A: Products.Zope_Hotfix_CVE_2011_3587

If you have specific questions about this vulnerability or its handling, contact the Zope Security Team, security-response@zope.org.

To report potentially security-related issues, please send a mail to the Zope Security Team at security-response@zope.org. The security team is always happy to credit individuals and companies who make responsible disclosures.

Information for vulnerability database maintainers

CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)
Impact Subscore
6.4
Exploitability Subscore
10
CVSS Temporal Score
5.9
Credit
Alan Hoey