Vulnerability Exploit Affecting Fedora v3.8

0 views
Skip to first unread message

Arran Griffith

unread,
Jan 21, 2025, 3:00:41 PMJan 21
to Fedora Community, Fedora Tech, Fedora Committers, South Central States Fedora Users, DC Fedora Users, German Speaking Fedora Users

Hi Everyone,

Today we are sharing news about a recent vulnerability exploit we were made aware of affecting Fedora version 3.x. The Cybersecurity Infrastructure Security Agency (CSIA) alerted us to 2 exploits within the fcrepo-core code base and have published their findings in the attached document.

 

An overview of the exploits is as follows:

  1. Default Credentials
    • fedoraIntCallUser allows access to local files on a filestream and contains a default password of “changeme” which could allow a user to modify site data or replace contents of existing objects.
  2. Arbitrary File Write leading to Remote Code Execution
    • Utilizing a “zipslip” attack any authenticated user could place arbitrary files on the file system and execute code by placing malicious JSP files within the tomcat/webapps directory. 

 

Details of these exploits and the CSIA’s findings are publicly available on the following GitHub repository https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white

 

The Fedora 3.x GitHub repository was archived back in 2017 and is no longer maintained, thus the program is unable to provide a community-wide fix for these vulnerabilities. We continue to encourage migrations to the most recent version of Fedora, 6.5.1 – which was released just last week. We strongly encourage all users on Fedora 3.x to consider migrating and want to draw your attention to the available migration tooling and documentation:

o    Migration Toolkit - https://wiki.lyrasis.org/display/FF/Migration+Toolkit+Overview

o    Migration-utils - https://github.com/fcrepo-exts/migration-utils

 

At this time we would like to remind the community of the Fedora Long Term Support (LTS) Policy, which can be found on the Fedora wiki - https://wiki.lyrasis.org/display/FF/Policy+-+Long+Term+Support. The LTS Policy states that the Fedora community is committed to supporting Fedora version 6.x. 

 

We are happy to answer any questions you may have. Thanks for your understanding. 

 

Arran and the Fedora Technical Team.

---

Arran Griffith

Program Manager, Fedora Program

Lyrasis

 

A picture containing logo Description automatically generated

 

vrf24-10-KSZTT_fedora3.pdf
Reply all
Reply to author
Forward
0 new messages