Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| general:secadv-2024-01 [2024/10/03 17:39] – [Description] Meier, Erich | general:secadv-2024-01 [2024/10/08 08:34] (current) – [Mitigation] Linz, Andreas | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| The reporting application used by Stages to render reports is vulnerable to remote code execution. | The reporting application used by Stages to render reports is vulnerable to remote code execution. | ||
| - | |||
| ===== Release Date ===== | ===== Release Date ===== | ||
| 2024-10-07 | 2024-10-07 | ||
| - | |||
| ===== Affected Versions ===== | ===== Affected Versions ===== | ||
| Line 16: | Line 14: | ||
| To find out which Stages version you are running, log in as “root” and look for the version information on the right side of the “Administration” dashboard. | To find out which Stages version you are running, log in as “root” and look for the version information on the right side of the “Administration” dashboard. | ||
| - | |||
| ===== Severity ===== | ===== Severity ===== | ||
| **Critical 10 ** (according to [[https:// | **Critical 10 ** (according to [[https:// | ||
| - | |||
| ===== Description ===== | ===== Description ===== | ||
| Line 30: | Line 26: | ||
| If you see indications of potentially unauthorized usage, please contact [[lst.global.stagessecurityrequests@ul.com]] immediately. | If you see indications of potentially unauthorized usage, please contact [[lst.global.stagessecurityrequests@ul.com]] immediately. | ||
| - | |||
| ===== Resolution ===== | ===== Resolution ===== | ||
| - | Please read and follow the mitigation steps below. Additionally, | + | Please read and follow the mitigation steps below. Additionally, |
| If you experience problems downloading the latest releases, please contact the Stages customer care team via [[stages-support@ul.com]] | If you experience problems downloading the latest releases, please contact the Stages customer care team via [[stages-support@ul.com]] | ||
| Line 46: | Line 41: | ||
| **7.9.19.0** | **7.9.19.0** | ||
| - | [[https://www.methodpark.de/ | + | [[https://download.stages.digital/ |
| - | [[https://www.methodpark.de/ | + | [[https://download.stages.digital/ |
| + | |||
| + | [[https:// | ||
| **7.10.10.0** | **7.10.10.0** | ||
| - | [[https://www.methodpark.de/ | + | [[https://download.stages.digital/ |
| - | [[https://www.methodpark.de/ | + | [[https://download.stages.digital/ |
| + | |||
| + | [[https:// | ||
| ===== Mitigation ===== | ===== Mitigation ===== | ||
| - | Please perform the following updates | + | Please perform the following updates |
| - | in STAGES_CONF/ | + | in '' |
| <code -> | <code -> | ||
| Line 75: | Line 74: | ||
| </ | </ | ||
| - | and restart the Stages service to restrict access to the reporting app to localhost. | + | Additionally activate the SingleSignOnValve by uncommenting the following line |
| + | |||
| + | <code -> | ||
| + | <Valve className=" | ||
| + | </ | ||
| + | |||
| + | Afterwards execute update.sh|bat | ||
| - | In case there is a reverse proxy installed in front of Stages that only forwards requests to /stages but not to /reporting your installation is also safe. | + | In case there is a reverse proxy installed in front of Stages that only forwards requests to '' |
| - | In case you use a Stages Version prior to 7.9.14.0 or 7.10.5.0, the Stages reporting feature might not work anymore after applying the above mitigation. If you are not able to upgrade to the latest service release, please contact Customer Care team via [[stages-support@ul.com|stages-support@ul.com]] for further instructions. | + | In case you use a Stages Version prior to 7.9.14.0 or 7.10.5.0, the Stages reporting feature might not work anymore after applying the above mitigation. Further information can be found here: [[https:// |