Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.4974 otrs2 security update 31 August 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: otrs2 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-38060 CVE-2022-4427 CVE-2021-41184 CVE-2021-41183 CVE-2021-41182 CVE-2021-36100 CVE-2021-36091 CVE-2021-21443 CVE-2021-21441 CVE-2021-21440 CVE-2021-21439 CVE-2021-21252 CVE-2020-11023 CVE-2020-11022 CVE-2020-1776 CVE-2020-1774 CVE-2020-1773 CVE-2020-1772 CVE-2020-1771 CVE-2020-1770 CVE-2020-1769 CVE-2020-1767 CVE-2020-1766 CVE-2020-1765 CVE-2019-18180 CVE-2019-18179 CVE-2019-16375 CVE-2019-13458 CVE-2019-12746 CVE-2019-12497 CVE-2019-12248 CVE-2019-11358 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html Comment: CVSS (Max): 9.8 CVE-2022-4427 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: [NIST], GitHub Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3551-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin August 31, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : otrs2 Version : 6.0.16-2+deb10u1 CVE ID : CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746 CVE-2019-13458 CVE-2019-16375 CVE-2019-18179 CVE-2019-18180 CVE-2020-1765 CVE-2020-1766 CVE-2020-1767 CVE-2020-1769 CVE-2020-1770 CVE-2020-1771 CVE-2020-1772 CVE-2020-1773 CVE-2020-1774 CVE-2020-1776 CVE-2020-11022 CVE-2020-11023 CVE-2021-21252 CVE-2021-21439 CVE-2021-21440 CVE-2021-21441 CVE-2021-21443 CVE-2021-36091 CVE-2021-36100 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2022-4427 CVE-2023-38060 Debian Bug : 945251 959448 980891 989992 991593 Multiple vulnerabilities were found in otrs2, the Open-Source Ticket Request System, which could lead to impersonation, denial of service, information disclosure, or execution of arbitrary code. CVE-2019-11358 A Prototype Pollution vulnerability was discovered in OTRS' embedded jQuery 3.2.1 copy, which could allow sending drafted messages as wrong agent. This vulnerability is also known as OSA-2020-05. CVE-2019-12248 Matthias Terlinde discovered that when an attacker sends a malicious email to an OTRS system and a logged in agent user later quotes it, the email could cause the browser to load external image resources. A new configuration setting =E2=80=98Ticket::Frontend::BlockLoadingRemo= teContent=E2=80=99 has been added as part of the fix. It controls whether external content should be loaded, and it is disabled by default. This vulnerability is also known as OSA-2019-08. CVE-2019-12497 Jens Meister discovered that in the customer or external frontend, personal information of agents, like Name and mail address in external notes, could be disclosed. New configuration settings =E2=80=98Ticket::Frontend::CustomerTicketZoo= m###DisplayNoteFrom=E2=80=99 has been added as part of the fix. It controls if agent information should be displayed in external note sender field, or be substituted with a different generic name. Another option named =E2=80=98Ticket::Frontend::CustomerTicketZoom###DefaultAgentName=E2=80= =99 can then be used to define the generic agent name used in the latter case. By default, previous behavior is preserved, in which agent information is divulged in the external note From field, for the sake of backwards compatibility. This vulnerability is also known as OSA-2019-09. CVE-2019-12746 A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then potentially abused in order to impersonate the agent user. This vulnerability is also known as OSA-2019-10. CVE-2019-13458 An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS tags in templates in order to disclose hashed user passwords. This vulnerability is also known as OSA-2019-12. CVE-2019-16375 An attacker who is logged into OTRS as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent compose an answer to the original article. This vulnerability is also known as OSA-2019-13. CVE-2019-18179 An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn't have permissions. This vulnerability is also known as OSA-2019-14. CVE-2019-18180 OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example). This vulnerability is also known as OSA-2019-15. CVE-2020-1765 Sebastian Renker and Jonas Becker discovered an improper control of parameters, which allows the spoofing of the From fields in several screens, namely AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This vulnerability is also known as OSA-2020-01. CVE-2020-1766 Anton Astaf'ev discovered that due to improper handling of uploaded images, it is possible =E2=80=94 in very unlikely and rare conditions = =E2=80=94 to force the agents browser to execute malicious JavaScript from a special crafted SVG file rendered as inline jpg file. This vulnerability is also known as OSA-2020-02. CVE-2020-1767 Agent A is able to save a draft (i.e., for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent. This vulnerability is also known as OSA-2020-03. CVE-2020-1769 Martin M=C3=B8ller discovered that in the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue. A new configuration setting =E2=80=98DisableLoginAutocomplete=E2=80=99 = has been added as part of the fix. It controls whether to disable autocompletion in the login forms, by setting the autocomplete=3D"off" attribute to the login input fields. Note that some browsers ignore it by default (usually it can be changed in the browser configuration). This vulnerability is also known as OSA-2020-06. CVE-2020-1770 Matthias Terlinde discovered that the support bundle generated files could contain sensitive information, such as user credentials. This vulnerability is also known as OSA-2020-07. CVE-2020-1771 Christoph Wuetschne discovered that an attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This vulnerability is also known as OSA-2020-08. CVE-2020-1772 Fabian Henneke discovered that it is possible to craft Lost Password requests with wildcards in the Token value, which allows an attacker to retrieve valid Token(s), generated by users which already requested new passwords. This vulnerability is also known as OSA-2020-09. CVE-2020-1773 Fabian Henneke discovered that an attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting CVE-2020-1772, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. The fix adds =E2=80=98libmath-random-secure-perl=E2=80=99 to otrs2's De= pends:. This vulnerability is also known as OSA-2020-10. CVE-2020-1774 When a user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. It is therefore possible to mix them and to send private key to the third-party instead of public key. This vulnerability is also known as OSA-2020-11. CVE-2020-1776 When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This vulnerability is also known as OSA-2020-13. CVE-2020-11022 Masato Kinugawa discovered a Potential XSS vulnerability in OTRS' embedded jQuery 3.2.1's htmlPrefilter and related methods. The fix requires patching embedded copies of fullcalendar (3.4.0), fullcalendar-scheduler (1.6.2) and spectrum (1.8.0). This vulnerability is also known as OSA-2020-14. CVE-2020-11023 Masato Kinugawa discovered a Potential XSS vulnerability in OTRS' embedded jQuery 3.2.1 copy when appending HTML containing option elements. This vulnerability is also known as OSA-2020-14. CVE-2021-21252 Erik Krogh Kristensen and Alvaro Mu=C3=B1oz from the GitHub Security Lab team discovered a Regular Expression Denial of Service (ReDoS) vulnerability in OTRS' embedded jQuery-validate 1.16.0 copy. CVE-2021-21439 A Denial of Service (DoS) attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This vulnerability is also known as OSA-2021-09 or ZSA-2021-03. CVE-2021-21440 Julian Droste and Mathias Terlinde discovered that the Generated Support Bundles contains private S/MIME and PGP keys when the parent directory is not hidden. Furthermore, secrets and PIN for the keys are not masked properly. This vulnerability is also known as OSA-2021-10 or ZSA-2021-08. CVE-2021-21441 There is a Cross-Site Scripting (XSS) vulnerability in the ticket overview screens. It is possible to collect various information by having an e-mail shown in the overview screen. An attack can be performed by sending specially crafted e-mail to the system, which does not require any user interaction. This vulnerability is also known as OSA-2021-11 or ZSA-2021-06. CVE-2021-21443 Agents are able to list customer user emails without required permissions in the bulk action screen. This vulnerability is also known as OSA-2021-13 or ZSA-2021-09. CVE-2021-36091 Agents are able to list appointments in the calendars without required permissions. This vulnerability is also known as OSA-2021-14 or ZSA-2021-10. CVE-2021-36100 Rayhan Ahmed and Maxime Brigaudeau discovered that a specially crafted string in the system configuration allows execution of arbitrary system command. The fix 1/ removes configurable system commands from generic agents; 2/ removes the =E2=80=98MIME-Viewer###=E2=80=A6=E2=80=99 settings (the = system command in SysConfig option "MIME-Viewer" is now only configurable via Kernel/Config.pm); 3/ removes dashboard widget support for execution of system commands; and 4/ deactivates support for execution of configurable system commands from Sendmail and PostMaster pre-filter configurations. This vulnerability is also known as OSA-2022-03 or ZSA-2022-02. CVE-2021-41182 Esben Sparre Andreasen discovered an XSS vulnerability in the `altField` option of the Datepicker widget in OTRS' embedded jQuery-UI 1.12.1 copy. This vulnerability is also known as ZSA-2022-01. CVE-2021-41183 Esben Sparre Andreasen discovered an XSS vulnerability in the `*Text` options of the Datepicker widget in OTRS' embedded jQuery-UI 1.12.1 copy. This vulnerability is also known as ZSA-2022-01. CVE-2021-41184 Esben Sparre Andreasen discovered an XSS vulnerability in the `of` option of the `.position()` util in OTRS' embedded jQuery-UI 1.12.1 copy. This vulnerability is also known as ZSA-2022-01. CVE-2022-4427 Tim P=C3=BCttmanns discovered an SQL injection vulnerability in Kernel::System::Ticket::TicketSearch, which can be exploited using the web service operation "TicketSearch". This vulnerability is also known as ZSA-2022-07. CVE-2023-38060 Tim P=C3=BCttmanns discovered an Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations. For Debian 10 buster, these problems have been fixed in version 6.0.16-2+deb10u1. We recommend that you upgrade your otrs2 packages. For the detailed security status of otrs2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/otrs2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --VDF94richAR/cCYZ Content-Type: application/pgp-signature; name="signature.asc" - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmTv3MgACgkQ05pJnDwh pVLClg/9EWtgLNcXk9qGqWHF7C0XlkJYvvfigwKX4gxcm4FQF66/eLyva9OgRdW4 CycFjMfDxmnWkYsuXp4sjB0PpJSw5pBdGX/mECumzJiPT11E8bmGKYm699Y9agrq mkhSTvRp3Il5CZDHa3KqGQuXXySuGaH4yGRUBnD3U1V9L0e7ca317z7Rzph/f6wp CWXmbdKbhf9STZbtqRWjki8t9kA3+u0YsRgJP3xrsr/bCOmPMSOQo+cqT17Gef6k eNQAtfRz2pT3u4+wVEAmrJjSw2qTuyRNwlZ3M/fqLqoaNq3o/Axxqp/45kWi4JkR a0Y9nWGwKKgJQTDBGPDtGoJHUXBlGWOyOdYcybwd/AHd+GOd0KkQMdkh6NvNtMEy R+dJcdiXDwPFYiDJytJ0xsda0ADUVJalQoudAI/zDmGtGnkQfHeGMVHAJZAPFgnG Ns7SYlGQrtFva4kPb5f+4RB4wH3Ld7t1TB/aZwX1NDKktHCox2Q5I0RruMbuo2MU LMLewvFThEfrdXWSEQydCLnyJzDAhLmLWbRLLqO1lYFiSjzEHgg6GhKtlrYMXpiW RbRQtsGB377BWrV/0fHhPGpZsaj4g0FncoKn8cs69iAO21uj9NPvWYLDTO8xLYqE T+opIjn2ZkGt1GG0/hRTwrtbBBt9AHJGahKXaFjkGteEKpD0geQ= =gUvm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZPAigckNZI30y1K9AQhZJw/+ICILq0DDdObEkicDZruZQOUmW65CXo9I mQ3b/YepwWBFpGDEVnvm9lFFidLkGTBQG0YJ8ZRLLyxMIjniRAl5rJ8ScXKayHaH NfDOCfckwoNV4DXjCfHicPr+hPrElkTlFoY2xWYTw75bm8gy8ZsNUNLlEi+O9J03 EC3M2TN7P6LcGDh9wVBcOkcx3C75HUb7RvN7MOhwLjY8k/r9MSbF+UUCiYJKXBwY C00tfY2BtkJzn/vqu/ZT08dUmT7MKoORZng8MUL5ejFrvrq7ebwTJnOff2jPcfI5 0eGnsXYbokP6LEHwup7RWFDbvPAiXEUE+xQBj2M0A/6RzRD0XOOA3cLp27spWzn2 jb1OETeDZK56lAbX8sHHWxHQpEDTBsmxzdK0ukKjlx4y3fN+CHMTUxKAs6y1HVhv KegkHZZImUkhvIMLTXTewldkCVhcqelWzlCWN7PhK28H5Zu22QGWXpTopOKFZbX7 p1EWbSQpj5o5Il416CipZiva5Z09OSwJE2LdZJ3FH5GWHrkAQjMWeDXH5GB02MNd bya+2ZpkBlwbMHTNVbRhIqwW50Z6jlTgNmj3AY7RUGa1h+Hqz5XJ04pCBUICbwG8 BHcihyea8MTZybyhvDj59Wav6ZYP/lnjYDN3tVQm9b9d3W0Yvx27AkYaRBBFzQv9 Lz5xgd1xkA4= =RF2M -----END PGP SIGNATURE-----