Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
general:secadv-2024-01 [2024/10/02 22:50] – [Severity] Meier, Erichgeneral:secadv-2024-01 [2024/10/08 08:34] (current) – [Mitigation] Linz, Andreas
Line 4: Line 4:
  
 The reporting application used by Stages to render reports is vulnerable to remote code execution. The reporting application used by Stages to render reports is vulnerable to remote code execution.
- 
  
 ===== Release Date ===== ===== Release Date =====
  
-2024-10-04 +2024-10-07
  
 ===== Affected Versions ===== ===== Affected Versions =====
Line 16: Line 14:
  
 To find out which Stages version you are running, log in as “root” and look for the version information on the right side of the “Administration” dashboard. To find out which Stages version you are running, log in as “root” and look for the version information on the right side of the “Administration” dashboard.
- 
  
 ===== Severity ===== ===== Severity =====
  
 **Critical 10 ** (according to [[https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator|NVD]] definition; Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/V:D/RE:L/U:Red) **Critical 10 ** (according to [[https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator|NVD]] definition; Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/V:D/RE:L/U:Red)
- 
  
 ===== Description ===== ===== Description =====
Line 29: Line 25:
 The vulnerability was found during an internal penetration test. None of the systems analyzed by UL Solutions including all Stages Managed Service instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted. The vulnerability was found during an internal penetration test. None of the systems analyzed by UL Solutions including all Stages Managed Service instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.
  
-If you see indications of unauthorized usage, please contact [[lst.global.stagessecurityrequests@ul.com]] immediately. +If you see indications of potentially unauthorized usage, please contact [[lst.global.stagessecurityrequests@ul.com]] immediately.
  
 ===== Resolution ===== ===== Resolution =====
  
-Please read and follow the mitigation steps below. Additionally, if you are using Stages on premise, we strongly recommend that you **upgrade to versions 7.9.19.0 or 7.10.10.0 (or later versions)** respectively.+Please read and follow the mitigation steps below. Additionally, if you are using Stages on premise, we strongly recommend that you **upgrade to versions 7.9.19.0 or 7.10.10.0 (or later versions)** respectively. **In addition, apply all the mandatory manual actions of the service release, which include the steps as described in the Mitigation section below - but also contain additional activities concerning metamodels (not related to this security advisory). For further details please check the links below to changes.html files.**
  
 If you experience problems downloading the latest releases, please contact the Stages customer care team via [[stages-support@ul.com]] If you experience problems downloading the latest releases, please contact the Stages customer care team via [[stages-support@ul.com]]
Line 46: Line 41:
 **7.9.19.0** **7.9.19.0**
  
-[[https://www.methodpark.de/downloads/stages/stages-7.10.10.0-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.10.10.0-1.x86_64.rpm]]+[[https://download.stages.digital/stages/stages-7.9.19.0-1.x86_64.rpm|https://download.stages.digital/stages/stages-7.9.19.0-1.x86_64.rpm]]
  
-[[https://www.methodpark.de/downloads/stages/stages-7.10.10.0-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.10.10.0-x64.exe]]+[[https://download.stages.digital/stages/stages-7.9.19.0-x64.exe|https://download.stages.digital/stages/stages-7.9.19.0-x64.exe]] 
 + 
 +[[https://download.stages.digital/stages/changes-7.9.19.0.html|https://download.stages.digital/stages/changes-7.9.19.0.html]]
  
 **7.10.10.0** **7.10.10.0**
  
-[[https://www.methodpark.de/downloads/stages/stages-7.9.19.0-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.9.19.0-1.x86_64.rpm]]+[[https://download.stages.digital/stages/stages-7.10.10.0-1.x86_64.rpm|https://download.stages.digital/stages/stages-7.10.10.0-1.x86_64.rpm]]
  
-[[https://www.methodpark.de/downloads/stages/stages-7.9.19.0-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.9.19.0-x64.exe]]+[[https://download.stages.digital/stages/stages-7.10.10.0-x64.exe|https://download.stages.digital/stages/stages-7.10.10.0-x64.exe]] 
 + 
 +[[https://download.stages.digital/stages/changes-7.10.10.0.html|https://download.stages.digital/stages/changes-7.10.10.0.html]]
  
  
 ===== Mitigation ===== ===== Mitigation =====
  
-Please perform the following updates for mitigation to your configuration:+Please perform the following updates manually in your configuration:
  
-in STAGES_CONF/server.xml replace+in ''STAGES_CONF/server.xml'' replace
  
 <code -> <code ->
Line 75: Line 74:
 </code> </code>
  
-and restart the Stages service to restrict access to the reporting app to localhost.+Additionally activate the SingleSignOnValve by uncommenting the following line 
 + 
 +<code -> 
 +<Valve className="org.apache.catalina.authenticator.SingleSignOn" /> 
 +</code> 
 + 
 +Afterwards execute update.sh|bat and restart the Stages service to restrict access to the reporting app to localhost.
  
-In case there is a reverse proxy installed in front of Stages that only forwards requests to /stages but not to /reporting your installation is also safe.+In case there is a reverse proxy installed in front of Stages that only forwards requests to ''/stages'' but not to ''/reporting'' your installation is also safe.
  
-In case you use a Stages Version prior to 7.9.14.0 or 7.10.5.0, the Stages reporting feature might not work anymore after applying the above mitigation. If you are not able to upgrade to the latest service release, please contact Customer Care team via [[stages-support@ul.com|stages-support@ul.com]] for further instructions.+In case you use a Stages Version prior to 7.9.14.0 or 7.10.5.0, the Stages reporting feature might not work anymore after applying the above mitigation. Further information can be found here: [[https://doc.stagesasaservice.com/79/upgrade_to_7_9_14|Upgrade to Stages 7.9.14.0 or higher]], [[https://doc.stagesasaservice.com/710/upgrade_to_7_10_5|Upgrade to Stages 7.10.5.0 or higher]]. If you are not able to upgrade to the latest service release, please contact Customer Care team via [[stages-support@ul.com|stages-support@ul.com]] for further instructions.