We are normally informed about supply chain hacks like this one from sources such as US-CERT (Homeland Security), DoD ARCYBER, SANS and the like. Official sources like these are important to follow to stay current, but yesterday we saw one happen more or less in real time.
When we released Concrete CMS version 9 in 2021 we promised to continue to release security updates for the 8.5.x branch until at least May 1st, 2022.
We are now extending that support period through December 31st, 2022.
If you are running a Concrete Version below 9, we recommend you implement the mitigation - a header configuration applied to nginx or apache.
We patch and update stuff all the time behind the scenes for our Concrete CMS Hosting clients without blogging about it. However, there is a lot of publicity about PWNKIT CVE-2021-4034, a major Linux vulnerability so hot off the presses that the CVE is still in “reserved” status. This vulnerability allows basic users to gain root access. Hence, we are writing to let you know that we have implemented the suggested mitigation for all our servers and have tested to verify that the mitigation works.
We listened! Concrete CMS now has a Configuration Best Practices documentation page which provides a checklist to help you make sure that your Concrete site is secure!
Update Dec 28, 2021. We are aware of CVE-2021-44832 and are continuing to patch any systems that include log4j updated as patches become available.
Update Dec 20 2021: We are keeping any systems that include log4j updated as patches become available additional CVEs related to Log4j. This blog relates to the original Apache Log4j CVE-2021-44228. We are aware of CVE-2021-45105 and have applied all available mitigations and updates.
Dec 15 2021: This blog is an update to the previous blog about Concrete and the Log4j vulnerability posted Dec 13.
Update Dec 28, 2021. We are aware of CVE-2021-44832 and are continuing to patch any systems that include log4j updated as patches become available
Update Dec 20, 2021: We are keeping any systems that include log4j updated as patches become available for additional CVEs related to Log4j. This blog relates to the original Apache Log4j CVE-2021-44228. We posted a blog about follow on vulnerability CVE 2021-45046. We are aware of CVE-2021-45105 and have applied all available mitigations and updates. We are remaining vigilant.
On December 9, 2021 a serious vulnerability in the Java-based logging package Log4j was publicly disclosed. In broad strokes, this vulnerability (CVE-2021-44228) allows an attacker to execute code on a remote server, it’s a pretty big deal.
In the past several days, there have been a number of articles raising the alarm about content management systems which allow executable files to be uploaded by an administrator, who already has complete control over the website.
A vulnerability in concrete5 which permitted authenticated users to view the contents of arbitrary messages was reported on February 11, 2019. No information identifying individuals was exposed. A fix was added to the concrete5 repository on Monday, February 15, 2019 and mitigated on the concrete5.org website on Wednesday, February 20, 2019.
All concrete5 sites should update to versions 8.4.5 or 126.96.36.199. The concrete5.org website has been upgraded and messages are no longer vulnerable, and no evidence was found that suggests this vulnerability was exploited on the website.