September 19, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: security@otrs.org
Security Advisory Details
- ID: OSA-2017-04
- Date: 2017-09-19
- Title: Code Injection / Privilege Escalation OTRS
- Severity: High
- Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x, OTRS 3.3.x
- Fixed in: OTRS 6.0.beta2, OTRS 5.0.23, OTRS 4.0.25, OTRS 3.3.18
- FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:R
- References: CVE-2017-14635
Vulnerability Description
This advisory covers vulnerabilities discovered in the OTRS framework.
Privilege Escalation
An attacker who is logged into OTRS as an agent with write permissions for statistics can inject arbitrary code into the system. This can lead to serious problems like privilege escalation, data loss, and denial of service.
Affected by this vulnerability are OTRS 6.0.beta1, all releases of OTRS 5.0.x up to and including 5.0.22, OTRS 4.0.x up to and including 4.0.24 and OTRS 3.3.x up to and including 3.3.17.
This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.
Fixed releases can be found at:
https://community.otrs.com/category/release-and-security-notes-en/
Detailed information about the changes:
OTRS 6:
- https://github.com/OTRS/otrs/commit/b53ad74c32f82096ebff567623d3df275225d8e7
- https://github.com/OTRS/otrs/commit/8ef268ba79781a5cf2d15f89cb8f9176f2517305
- https://github.com/OTRS/otrs/commit/b8e9a5986c568fee0769eb65f8d4485f5a821ec9
- https://github.com/OTRS/otrs/commit/d4bfce29f8260732cd3f1a84b33d9bd2a0f566ac
OTRS 5
- https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85
- https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618
- https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897
- https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5
OTRS 4
- https://github.com/OTRS/otrs/commit/0fd2281df7f740cefe5c853cc315efe12b0e43ba
- https://github.com/OTRS/otrs/commit/1286422651e4c8ff5ddc43e22f1909d2f6d80c20
- https://github.com/OTRS/otrs/commit/3e139b7186892a27163c3824a3f8b4ca01e2e4c1
OTRS 3.3
- https://github.com/OTRS/otrs/commit/3ccc426ec220267d0cac8e3fdc39015a3db7d720
- https://github.com/OTRS/otrs/commit/f27dc65e4a937ba832d60e212ce6c9e3a28e406b
- https://github.com/OTRS/otrs/commit/454c50116c2bf82dcd9dfee9146a7416be686875
- https://github.com/OTRS/otrs/commit/5468720cc8225a85699b1977ff230adbf9f8362d
- https://github.com/OTRS/otrs/commit/0583dfda7bc9c7d76457aad68083f4b28a288ce5
However, to avoid unwanted side effects, we recommend a complete update.
Thanks to Francesco Sirocco for discovering and reporting this issue.