Security:Security Advisories/BSSA-2023-02: Difference between revisions

(Created page with "{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}} {| class="wikitable" |+ ! ! |- |Date |2023-07-25 |- |Severity |Medium |- |Affected | * BlueSpice Infrastructure: Ghostscript |- |Fixed in | * Ghostscript 9.53.3 and 10.01.2 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664] |} == Problem == A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF docum...")
 
No edit summary
Tag: 2017 source edit
Line 6: Line 6:
|-
|-
|Date
|Date
|2023-07-25
|2023-10-30
|-
|-
|Severity
|Severity
|Medium
|Low
|-
|-
|Affected
|Affected
|
|
* BlueSpice Infrastructure: Ghostscript
* BlueSpiceAvatars
|-
|-
|Fixed in
|Fixed in
|
|
* Ghostscript 9.53.3 and 10.01.2
* BlueSpiceAvatars 4.3.3
* BlueSpiceAvatars 3.2.10.1
|-
|-
|CVE
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|}
|}


== Problem ==
== Problem ==
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.


PDFHandler is not enabled by default, but many installations have set it active.


== Solution ==
== Solution ==
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.  
* BlueSpice 4: Update to version 4.3.3
 
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]
If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.


== Resources ==
== Resources ==
* For Debian: https://www.debian.org/security/2023/dsa-5446
None
* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8




== Acknowledgements ==
== Acknowledgements ==
Found during an internal security audit.
Found during an internal security audit.

Revision as of 11:53, 30 October 2023

Date 2023-10-30
Severity Low
Affected
  • BlueSpiceAvatars
Fixed in
  • BlueSpiceAvatars 4.3.3
  • BlueSpiceAvatars 3.2.10.1
CVE CVE-2023-42431

Problem

Solution

  • BlueSpice 4: Update to version 4.3.3
  • BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1

Resources

None


Acknowledgements

Found during an internal security audit.