An emergency update has been released to fix a critical remote code execution (RCE) vulnerability in Discourse, tracked as CVE-2021-41163.
Discourse is an open-source forum, long-form chat, and mailing list management platform that provides excellent usability and integration with an emphasis on social features, and is widely deployed on the web.
The vulnerability is in 2.7.8 or later versions, and the best way to address the risk is to update to 2.7.9 or later. The latest beta and test versions also contain a patch for this flaw.
According to official statistics, Discourse was used to publish 3.5 million posts viewed by 405 million users in September 2021 alone.
Because of the widespread use of Discourse, CISA has also issued a warning about this flaw, urging forum administrators to update to the latest available version or apply the necessary workarounds.
Discourse, an open source discussion platform, has issued a security advisory to address a critical remote code execution (RCE) vulnerability (CVE- 2021-41163) in Discourse versions 2.7.8 and earlier. 2021-41163) in Discourse prior to version 2.7.8.
CISA has released a security advisory to address the vulnerability.
CISA recommends that developers update to the patched version 2.7.9 or later, or apply the necessary workarounds.
This vulnerability is caused by taking advantage of the lack of validation of the “subscribe-url” value to send a maliciously crafted request to the vulnerable software.
Calling open() with the user’s input allows the user to invoke OS commands with the permissions that the web app is running under, usually “www-data” (administrator).
CVE-2021-41163 exploit results in a CVSS v3 score of 10.0 (critical) and needs to be patched urgently.
A search on Shodan yielded 8,641 Discourse hits, many of which appear to be RCE exploits.
If you are unable to update to the latest version, we recommend that you block requests with paths starting with “/webhooks/aws” in your upstream proxy.
At this time, this flaw is still undergoing technical analysis, but the researchers who discovered it have published the technical details.
https://0day.click/recipe/ discourse-sns-rce/
The researcher who discovered this flaw stated that he immediately reported the problem to the Discourse team on October 10, 2021.
Comments