Bug 1071797 (CVE-2017-16921)

Summary: VUL-0: CVE-2017-16921: otrs: Remote code execution for authenticated users (OSA-2017-09)
Product: [openSUSE] openSUSE Distribution Reporter: Johannes Segitz <jsegitz>
Component: SecurityAssignee: Johannes Segitz <jsegitz>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium    
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Factory   
URL: https://smash.suse.de/issue/196328/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-12-07 16:17:18 UTC 
CVE-2017-16921

An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.

https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16921
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16921.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16921
Comment 1 Christian Wittmer 2017-12-08 01:32:26 UTC 
ongoing work
Comment 2 Christian Wittmer 2017-12-08 02:01:25 UTC 
OTRS 3.3 is EOL. No security updates anymore.
User should update to 4.0.x at least.

http://download.opensuse.org/repositories/network:/otrs:/4/
Comment 3 Bernhard Wiedemann 2017-12-08 02:10:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1071797) was mentioned in
https://build.opensuse.org/request/show/555150 Factory / otrs
Comment 4 Christian Wittmer 2017-12-16 13:36:57 UTC 
An OTRS 5 version is being prepared in network:otrs:Test