[Zope] Security vulnerabiity 20110928: Arbitrary Code Execution (pre-announcement)

Tres Seaver tseaver at palladion.com
Wed Sep 28 16:46:11 EST 2011

Hash: SHA1

The Zope security response team is pre-announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users.

This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary commands
with the privileges of the Zope service.

Versions Affected:  Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.9.x, Zope 2.10.x, Zope 2.11.x

This is a pre-announcement. Due to the severity of this issue we are
providing an advance warning of an upcoming patch, which will be
released 2011-10-04 15:00 UTC.

What you should do in advance of patch availability

Due to the nature of the vulnerability, the security team has decided to
pre-announce that a fix is upcoming before disclosing the details. This
is to ensure that concerned users can plan around the release.  As the
fix being published will make the details of the vulnerability public,
we are recommending that all users plan a maintenance window for 30
minutes either side of the announcement where your site is completely
inaccessible in which to install the fix.

Meanwhile, we STRONGLY recommend that you take the following steps to
protect your site:

- - Make sure that the Zope service is running with with minimum
  privileges. Ideally, the Zope and ZEO services should be able to
  write only to log and data directories.

- - Use an intrusion detection system that monitors key system resources
  for unauthorized changes.

- - Monitor your Zope, reverse-proxy request and system logs for unusual

In this case, these are standard precautions that should be employed on
any production system.

Extra help

Should you not have in-house server administrators or a service
agreement looking after your website you can find consultancy companies
on plone.net.

There is also free support available online via Zope mailing lists and
the #zope IRC channels.

Questions and Answers

Q: When will the patch be made available?
A: The Security Team will release the patch at 2011-10-04 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be
unpacked into the “products” folder of a buildout installation and as
Python packages that may be installed by editing a buildout
configuration file and running buildout.  Patching is generally easy and
quick to accomplish.

Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the
Plone Security team.

Q: My site is highly visible and mission-critical. I hear the patch has
already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time.
There are no exceptions.

Q: If the patch has been developed already, why isn't it already made
available to the public?
A: The Security Team is still testing the patch and running various
scenarios thoroughly. The team is also making sure everybody has
appropriate time to plan to patch their Zope installation(s). Some
consultancy organizations have hundreds of sites to patch and need the
extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is
made available.

Q: Is there a CVE record for this vulnerability?
A: Not yet. This information will be added when available.

If you have specific questions about this vulnerability or its handling,
contact the Zope Security Team, security-response at zope.org.

To report potentially security-related issues, please send a mail to the
Zope Security Team at security-response at zope.org. The security team is
always happy to credit individuals and companies who make responsible

Information for vulnerability database maintainers

CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)

Impact Subscore

Exploitability Subscore

CVSS Temporal Score

Alan Hoey

- -- 
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Zope mailing list