tseaver at palladion
Sep 28, 2011, 2:46 PM
-----BEGIN PGP SIGNED MESSAGE-----
Security vulnerabiity 20110928: Arbitrary Code Execution (pre-announcement)
The Zope security response team is pre-announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users.
This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary commands
with the privileges of the Zope service.
Versions Affected: Zope 2.12.x and Zope 2.13.x.
Versions Not Affected: Zope 2.9.x, Zope 2.10.x, Zope 2.11.x
This is a pre-announcement. Due to the severity of this issue we are
providing an advance warning of an upcoming patch, which will be
released 2011-10-04 15:00 UTC.
What you should do in advance of patch availability
Due to the nature of the vulnerability, the security team has decided to
pre-announce that a fix is upcoming before disclosing the details. This
is to ensure that concerned users can plan around the release. As the
fix being published will make the details of the vulnerability public,
we are recommending that all users plan a maintenance window for 30
minutes either side of the announcement where your site is completely
inaccessible in which to install the fix.
Meanwhile, we STRONGLY recommend that you take the following steps to
protect your site:
- - Make sure that the Zope service is running with with minimum
privileges. Ideally, the Zope and ZEO services should be able to
write only to log and data directories.
- - Use an intrusion detection system that monitors key system resources
for unauthorized changes.
- - Monitor your Zope, reverse-proxy request and system logs for unusual
In this case, these are standard precautions that should be employed on
any production system.
Should you not have in-house server administrators or a service
agreement looking after your website you can find consultancy companies
There is also free support available online via Zope mailing lists and
the #zope IRC channels.
Questions and Answers
Q: When will the patch be made available?
A: The Security Team will release the patch at 2011-10-04 15:00 UTC.
Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be
unpacked into the “products” folder of a buildout installation and as
Python packages that may be installed by editing a buildout
configuration file and running buildout. Patching is generally easy and
quick to accomplish.
Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the
Plone Security team.
Q: My site is highly visible and mission-critical. I hear the patch has
already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time.
There are no exceptions.
Q: If the patch has been developed already, why isn't it already made
available to the public?
A: The Security Team is still testing the patch and running various
scenarios thoroughly. The team is also making sure everybody has
appropriate time to plan to patch their Zope installation(s). Some
consultancy organizations have hundreds of sites to patch and need the
extra time to coordinate their efforts with their clients.
Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is
Q: Is there a CVE record for this vulnerability?
A: Not yet. This information will be added when available.
If you have specific questions about this vulnerability or its handling,
contact the Zope Security Team, security-response [at] zope
To report potentially security-related issues, please send a mail to the
Zope Security Team at security-response [at] zope The security team is
always happy to credit individuals and companies who make responsible
Information for vulnerability database maintainers
CVSS Base Score
CVSS Temporal Score
Tres Seaver +1 540-429-0999 tseaver [at] palladion
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Zope-Announce maillist - Zope-Announce [at] zope
Zope-Announce for Announcements only - no discussions
(Related lists -
Developers: https://mail.zope.org/mailman/listinfo/zope-dev )