Security Advisory 2024-01

Summary

The reporting application used by Stages to render reports is vulnerable to remote code execution.

Release Date

2024-10-07

Affected Versions

  • All 7.x versions after and including 7.2.0.0

To find out which Stages version you are running, log in as “root” and look for the version information on the right side of the “Administration” dashboard.

Severity

Critical 10 (according to NVD definition; Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/V:D/RE:L/U:Red)

Description

A critical vulnerability has been found in the reporting application that runs in the Tomcat container that comes with Stages.

The vulnerability was found during an internal penetration test. None of the systems analyzed by UL Solutions including all Stages Managed Service instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.

If you see indications of potentially unauthorized usage, please contact lst.global.stagessecurityrequests@ul.com immediately.

Resolution

Please read and follow the mitigation steps below. Additionally, if you are using Stages on premise, we strongly recommend that you upgrade to versions 7.9.19.0 or 7.10.10.0 (or later versions) respectively. In addition, apply all the mandatory manual actions of the service release, which include the steps as described in the Mitigation section below - but also contain additional activities concerning metamodels (not related to this security advisory). For further details please check the links below to changes.html files.

If you experience problems downloading the latest releases, please contact the Stages customer care team via stages-support@ul.com

The issue has already been resolved on all Stages Managed Service instances. There is no further action required for customers that use Stages Managed Service / Stages as a Service.

As a good security practice we recommend to generally handle Report Administration permissions as restrictive as possible.

The new service releases can be downloaded from here:

7.9.19.0

https://download.stages.digital/stages/stages-7.9.19.0-1.x86_64.rpm

https://download.stages.digital/stages/stages-7.9.19.0-x64.exe

https://download.stages.digital/stages/changes-7.9.19.0.html

7.10.10.0

https://download.stages.digital/stages/stages-7.10.10.0-1.x86_64.rpm

https://download.stages.digital/stages/stages-7.10.10.0-x64.exe

https://download.stages.digital/stages/changes-7.10.10.0.html

Mitigation

Please perform the following updates manually in your configuration:

in STAGES_CONF/server.xml replace

<Context path="/reporting" docBase="reporting" cookies="true" />

by

<Context path="/reporting" docBase="reporting" cookies="true" >
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|::1|0:0:0:0:0:0:0:1"/>
</Context>

Additionally activate the SingleSignOnValve by uncommenting the following line

<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

Afterwards execute update.sh|bat and restart the Stages service to restrict access to the reporting app to localhost.

In case there is a reverse proxy installed in front of Stages that only forwards requests to /stages but not to /reporting your installation is also safe.

In case you use a Stages Version prior to 7.9.14.0 or 7.10.5.0, the Stages reporting feature might not work anymore after applying the above mitigation. Further information can be found here: Upgrade to Stages 7.9.14.0 or higher, Upgrade to Stages 7.10.5.0 or higher. If you are not able to upgrade to the latest service release, please contact Customer Care team via stages-support@ul.com for further instructions.

Note

Please contact the Stages customer care team via stages-support@ul.com in case you need further support or if you are not able to update your configuration or install a new version at this time.