SummaryPossible remote code execution on intranet host system
Advisory Release Date

 

Product
  • Linchpin Enterprise News
  • Linchpin Events
  • Linchpin Intranet Suite

Affected Linchpin Enterprise News Versions

2.14.1 and earlier

Fixed Linchpin Enterprise News Version2.14.2
Affected Linchpin Events Versions3.3.2 and earlier
Fixed Linchpin Events Versions3.3.4 / 3.4.2
Affected Linchpin Intranet Suite Versions3.4.4 / 3.3.5 / 3.2.4 and earlier
Fixed Linchpin Intranet Suite Versions3.4.5 / 3.3.6 / 3.3.7/ 3.2.5

Problem

We were able to identify a security vulnerability in our Linchpin Enterprise News app and Linchpin Events. The vulnerability allows any logged-in user under tight conditions to run any available software on the host system. This is a type of remote-code-execution attack. The risk of exploiting this bug decreases significantly if users cannot change their fullnames themselves.

The vulnerability has been rated as high (9.8) according to the scale published under the Common Vulnerability Scoring System (CVSS).

This issue was recently discovered by an external reviewer during our participation in the Atlassian Marketplace Bug Bounty Program. We have since fixed the affected functionalities and also analyzed our codebase for similar vulnerabilities.

All versions of the app Linchpin Enterprise News up to and including 2.14.1 are affected by this vulnerability.
All versions of the app Linchpin Events up to and including 3.3.2 are affected by this vulnerability.
All versions of the app Linchpin Intranet Suite are affected by this vulnerability, up to and including versions 3.2.4, 3.3.5 and 3.4.4.

Solution

Depending on the fact whether you use Linchpin Enterprise News or Linchpin Events apps standalone or bundled as part of the Linchpin Intranet Suite, there are different paths to get to the right version of the Linchpin Enterprise News that closes the gap mentioned.

Linchpin Enterprise News

If you are using the Linchpin Enterprise News app in one of the affected versions 2.14.1 or earlier, please immediately update to Linchpin Enterprise News 2.14.2.

Linchpin Events

If you are using the Linchpin Events app in one of the affected versions 3.3.2 or earlier, please immediately update to Linchpin Events 3.3.4 or 3.4.2.

Linchpin Intranet Suite

Please refer to the table below to determine the appropriate fix version.

Current version

Fix version

Linchpin Intranet Suite 3.4.0 to 3.4.4

3.4.5
Linchpin Intranet Suite 3.3.0 to 3.3.53.3.6 or 3.3.7
Linchpin Intranet Suite 3.2.4 and earlier3.2.5

For versions prior to the 3.2 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs

  1. Restart Confluence (only necessary if the update is already hanging)
  2. Uninstall the app "Linchpin User Profiles (Content Responsibility)".
  3. Uninstall the app "Linchpin User Profiles".
  4. Install the app "Linchpin Intranet Suite" again.

Root Cause

While creating news posts or events users may enter code that is executed by the backend template engine (Apache Velocity) which is integrated in Confluence. With a working combination of different code snippets it is possible to use the Java Reflection API to run system processes on the server host.

If users are NOT able to change their own fullnames the risk for exploiting this vulnerability decreases significantly because the fullname is involved as data source.

We have fixed this by sanitizing user inputs in a way that the template engine does not execute entered code.


This content was last updated on 12/04/2020.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.

Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.