Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

otrs2: CVE-2017-16921: Remote code execution

Related Vulnerabilities: CVE-2017-16921   CVE-2017-16854  

Source

Debian Bug report logs - #883774
otrs2: CVE-2017-16921: Remote code execution

version graph

Package: src:otrs2; Maintainer for src:otrs2 is Patrick Matthäi <pmatthaei@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Dec 2017 13:45:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions otrs2/5.0.16-1, otrs2/3.3.9-3

Fixed in versions otrs2/3.3.18-1+deb8u3, otrs2/5.0.16-1+deb9u4, otrs2/6.0.2-1

Done: Patrick Matthäi <pmatthaei@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#883774; Package src:otrs2. (Thu, 07 Dec 2017 13:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>. (Thu, 07 Dec 2017 13:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: otrs2: CVE-2017-16921: Remote code execution
Date: Thu, 07 Dec 2017 14:42:39 +0100
Source: otrs2
Version: 5.0.16-1
Severity: grave
Tags: patch security upstream
Control: found -1 3.3.9-3

Hi,

the following vulnerability was published for otrs2.

The issue is related to improper handling of PGP parameters, as such I
think the issue is as well present back in the 3.3.x series (they are
not mentioned in the advisories since the 3.3.x series are not
supported anymore upstream).

CVE-2017-16921[0]:
OSA-2017-09: Remote code execution

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16921
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16921
[1] https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/

Regards,
Salvatore

Marked as found in versions otrs2/3.3.9-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 07 Dec 2017 13:45:04 GMT) (full text, mbox, link).

Marked as fixed in versions otrs2/6.0.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 07 Dec 2017 13:51:05 GMT) (full text, mbox, link).

Marked as fixed in versions otrs2/3.3.18-1+deb8u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 19 Dec 2017 20:21:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 19 Dec 2017 20:21:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 19 Dec 2017 20:21:04 GMT) (full text, mbox, link).

Marked as fixed in versions otrs2/5.0.16-1+deb9u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 19 Dec 2017 20:21:04 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#883774. (Tue, 19 Dec 2017 20:21:07 GMT) (full text, mbox, link).

Message #20 received at 883774-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 883774-submitter@bugs.debian.org
Subject: closing 883774, closing 883774
Date: Tue, 19 Dec 2017 21:19:52 +0100
close 883774 3.3.18-1+deb8u3
close 883774 5.0.16-1+deb9u4
thanks

Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Sun, 24 Dec 2017 13:09:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 24 Dec 2017 13:09:14 GMT) (full text, mbox, link).

Message #25 received at 883774-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 883774-close@bugs.debian.org
Subject: Bug#883774: fixed in otrs2 5.0.16-1+deb9u4
Date: Sun, 24 Dec 2017 13:06:19 +0000
Source: otrs2
Source-Version: 5.0.16-1+deb9u4

We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883774@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Dec 2017 13:51:47 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 5.0.16-1+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 otrs       - Open Ticket Request System (OTRS 5)
 otrs2      - Open Ticket Request System
Closes: 883774
Changes:
 otrs2 (5.0.16-1+deb9u4) stretch-security; urgency=high
 .
   * Add patch 19-CVE-2017-16921:
     This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is
     logged into OTRS as an agent can manipulate form parameters and execute
     arbitrary shell commands with the permissions of the OTRS or web server
     user.
     Closes: #883774
   * Add patch 18-CVE-2017-16854:
     This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is
     logged into OTRS as a customer can use the ticket search form to disclose
     internal article information of their customer tickets.
Checksums-Sha1:
 b90b280cfba8c0d3fd997e90e7f21eb567c629f4 1838 otrs2_5.0.16-1+deb9u4.dsc
 7eeec0cc2589a7f60b1ab667a68f3de8dfdcb69f 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz
 f58783ec93abcd393a358faaac83018bf07c3250 7053752 otrs2_5.0.16-1+deb9u4_all.deb
 17489cbc3e469f5e0481b47c2f2cb44d2745d76d 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo
 ec45137c9b38e67d5be87a7c95a46240e1d1bb45 213212 otrs_5.0.16-1+deb9u4_all.deb
Checksums-Sha256:
 87a516cb0f449aee5fd11e4b5d152c1631211ea9a713582d58df1aaad2318832 1838 otrs2_5.0.16-1+deb9u4.dsc
 39c63d62e493170b47feef78be0f38100c5717838fb7c375ad30b1cc583a431a 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz
 5962af54dabba02c7eedb70f4bb9031d9a5ed469b7aae9454dba1f845adccb85 7053752 otrs2_5.0.16-1+deb9u4_all.deb
 3c0e68d4afdcff7c50d77abc7eed1a8f9b8aaa73ac0e25fcbe6850ab88b9709c 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo
 28a297166d8f728edd2fe9612dc81cf51b609ad8ca1259f41dc93beb950a08e1 213212 otrs_5.0.16-1+deb9u4_all.deb
Files:
 62fe6b57e57280b0b680a6a97490dd31 1838 non-free/web optional otrs2_5.0.16-1+deb9u4.dsc
 bbdc224d8646474decab84dc81afbe45 52152 non-free/web optional otrs2_5.0.16-1+deb9u4.debian.tar.xz
 75733df4f0b955d9e133cbc330818b7e 7053752 non-free/web optional otrs2_5.0.16-1+deb9u4_all.deb
 4bf2258579e06ffc2855a6e2a29fa5bf 7279 non-free/web optional otrs2_5.0.16-1+deb9u4_amd64.buildinfo
 eca8a54d47f6bf2166ae1a53a435b989 213212 non-free/web optional otrs_5.0.16-1+deb9u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloyM+gACgkQEtmwSpDL
2OQ+bA//VwaCMiqhVhqWxn3YrQlMWa7btgtyrwSwhsH/kL9+tD6ubY+7BO3PMDe0
UVCR00BTnueb2FoNHZrcJUEA9KRv/TtO9P+H5qrPJlUPZOs8x91zYmpihk5ILTwc
3L6IdOwQgKPaDmdRaDZ0KkKHBtQjilk4NxSnUOGxsKF0Abvbf76wIW1VW5yqmiaU
l9VQmZ8a2BEFIV+7Sa841vk3Vf5InlxLzyJLnvsROo2uwkEsqzIQAut7bo+POZqS
rJPZ+RplSPJIIW1GoM8GEcLcnPc7HzW3xgzEcEBGeI0vUjZx0YhWQnwWJOg0M4N1
nTNfZe36/lNriMyNh4EKFVxqtUDjJC7sr/51MxPTUuu63iNx9vyikmKCBPhnOebF
yv8209U25UHiuqYs5YjqlapOtobL2HQasZsf4E9vetJ/OE4C83UXXUj8ZoYM3Q4I
VJ/0DGiAeY8YhLLLt1qSNOOB0jNUiW2UrTU3Ex3JP7UKb0OMZ6ArDs8gYYPHdYPR
2iKYE+9FsZ2LI+vUcUgwg2a65V0xFDZpGJY9qQvAlmVQiH1EwIcwnf4HDj3UlBZ8
2XCeGD5ooOCWFScaHZJF5duM5KPQ7LeyQqXyH7zG2X6CmXEuWNc7iNKQetxDR3gH
MtfYdbV5H6rlTmBrIBA8E4Zk9M6UjOR9xVLyxbdjzOa6SEkorA8=
=zydQ
-----END PGP SIGNATURE-----

Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Mon, 25 Dec 2017 10:36:18 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 25 Dec 2017 10:36:18 GMT) (full text, mbox, link).

Message #30 received at 883774-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 883774-close@bugs.debian.org
Subject: Bug#883774: fixed in otrs2 3.3.18-1+deb8u3
Date: Mon, 25 Dec 2017 10:33:36 +0000
Source: otrs2
Source-Version: 3.3.18-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883774@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Dec 2017 13:11:19 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 3.3.18-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 otrs       - Open Ticket Request System (OTRS 3)
 otrs2      - Open Ticket Request System
Closes: 883774
Changes:
 otrs2 (3.3.18-1+deb8u3) jessie-security; urgency=high
 .
   * Add patch 18-OSA-2017-08:
     This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is
     logged into OTRS as a customer can use the ticket search form to disclose
     internal article information of their customer tickets.
   * Add patch 19-OSA-2017-09:
     This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is
     logged into OTRS as an agent can manipulate form parameters and execute
     arbitrary shell commands with the permissions of the OTRS or web server
     user.
     Closes: #883774
Checksums-Sha1:
 adfb032f863a63dc2fddd8e5d5ee4c0de50c48e6 1820 otrs2_3.3.18-1+deb8u3.dsc
 586934b555250a8387b8ca018aa17c266436640c 42492 otrs2_3.3.18-1+deb8u3.debian.tar.xz
 ee2fb3ced7b2c6d6814c690be596a1c41b964198 5644830 otrs2_3.3.18-1+deb8u3_all.deb
 5e1d318549841427a87c3d7815dcc2823fb2df27 188570 otrs_3.3.18-1+deb8u3_all.deb
Checksums-Sha256:
 379e01840e1e2acfb27e6443e4099f8f7726daa51c267280c43d691f23a52e5a 1820 otrs2_3.3.18-1+deb8u3.dsc
 9c7b081847769995b0559dbe8272fbfde79cb19a9104efccd42ba801b799da36 42492 otrs2_3.3.18-1+deb8u3.debian.tar.xz
 6bdaf1f9a3cec91078467ab427174665051b343b685a87d8519b2088eccbaac3 5644830 otrs2_3.3.18-1+deb8u3_all.deb
 274b1f11de7aa85ff9532d29116ba8a6cfe68c73a61c9919eb7c2cf1a7a249f8 188570 otrs_3.3.18-1+deb8u3_all.deb
Files:
 12d2f41d20c75f9f926f2d32cbbbd1de 1820 web optional otrs2_3.3.18-1+deb8u3.dsc
 84e756a3bd4460d36e2fd1127b67f158 42492 web optional otrs2_3.3.18-1+deb8u3.debian.tar.xz
 7fd68cc52ca3596e6ee96f170abfcd48 5644830 web optional otrs2_3.3.18-1+deb8u3_all.deb
 b5b08d40514e59f2f747f514dd6de725 188570 web optional otrs_3.3.18-1+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloyM+gACgkQEtmwSpDL
2OQX9w//Z+ZnXHqzSB35xWHvtrFzbOOnLYjCxbfH/2UMto3eYPtT+rAzTkBfcNVz
WiJZQKw96mmbYb1mvZIhwLG5puL+0tm2n1//xTj0UWszPNhrZXX+brIZmUu+NYle
aTm9Nij5BqHzsTUL3GcxQ4yElzcW/iXYccAJs2NIQDsXDcnl7+xzg9GvUhZIL87Q
3zVqe0cdHuBffz2aYU+3gQRYeF8XYR6d7lYmJHwelzKchhPep1XCEZ/HZ96/QUgC
/x3Ma4uPRr5Bl92FDw+upikIl+BYrrhDhjlNhf/zuvixdLsnbJQ3vv5YT0khnP3m
fsW1wCQGnD6fKAPmqpHaxguLaEM42IfeYsd96NfgVTQtaefIP+9e2dttwRpLBOng
ruCOrJkKFXUJMRqmRgdf6V/1v7qmbdawOHVYwZT43gq+7C0pq+7KIkdZ4PBc0hFI
mFHaVCaEiA41mcG6EmEJtKqCJlMytgSb01QeAaKcd/IH1YUqBI0HhbkYF2nvEvtg
xM3nAj5sFi7/Q8Bz5/Mmj4MQeDmSjFTzJw89mPVqDNruyF2G9M9PZWqzknigNVUr
Xqmrlp6pL7Tpc1cZGO6Vo8zd4mubO1mS4uoZq8lHlCHa414OEI6OVuDAE0sTu5Bh
rRwMk7o00Am023pCyWMT9VkIwc5cQtGpcNcDL5wp0ymtHSHOPAw=
=EJTS
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 Mar 2018 07:29:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:22:22 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started