We patch and update stuff all the time behind the scenes for our Concrete CMS Hosting clients without blogging about it. However, there is a lot of publicity about PWNKIT CVE-2021-4034, a major Linux vulnerability so hot off the presses that the CVE is still in “reserved” status. This vulnerability allows basic users to gain root access. Hence, we are writing to let you know that we have implemented the suggested mitigation for all our servers and have tested to verify that the mitigation works.

For anyone not hosting with us but using Concrete CMS, we recommend that you investigate whether your hosting environment is vulnerable. If it is, either update your Linux OS or, if no patches are available for your operating system, remove the SUID-bit from pkexec as a temporary mitigation. For example, this root-powered shell command will stop attacks:

# chmod 0755 /usr/bin/pkexec

Fixing this vulnerability is especially important for shared hosting accounts. It is also important to make sure that your webservers are not set to execute any files uploaded to your storage location as described in Concrete CMS Configuration Best Practices as an added precaution to protect against this exploit. 

More information can be found: