An IT safety alert replace for recognized vulnerabilities is revealed in ILIAS. You can examine which purposes and merchandise are affected by safety holes right here at information.de.
Federal workplace for Security in Information Technology (BSI) has revealed a safety discover for ILIAS on May 20, 2024. Several vulnerabilities have been present in using this software program that may very well be exploited by attackers. The safety vulnerability impacts the Linux working system and the open supply ILIAS product. This alert was final up to date on May 23, 2024.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability might be discovered right here: Security Advisory: Gaining Use of PHP Code in ILIAS eLearning LMS earlier than v7.30/v8.11/v9.1 (From 22 May 2024). Some helpful assets are listed later on this article.
A excessive danger of ILIAS has been reported – Risk: excessive
Risk degree: 4 (excessive)
CVSS Base Score: 9.8
CVSS provisional rating: 8,8
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop techniques. The CVSS commonplace makes it doable to check potential or precise safety dangers primarily based on numerous standards to create a precedence checklist for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of the vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. For short-term impact, body situations that will change over time are thought of within the take a look at. According to CVSS, the danger of the vulnerability talked about right here is rated as “excessive” with a base worth of 9.8.
ILIAS Bug: Implications of exploiting a recognized vulnerability
ILIAS is an open supply e-learning answer.
A distant attacker may exploit a number of vulnerabilities in ILIAS to execute arbitrary code or carry out a Cross-Site Scripting (XSS) assault.
Vulnerabilities are categorized utilizing the CVE (Common Vulnerabilities and Exposures) reference system utilizing particular person serial numbers. CVE-2024-33525, CVE-2024-33526, CVE-2024-33527, CVE-2024-33528 and CVE-2024-33529.
Systems affected by the ILIAS safety vulnerability at a look
working system
Linux
Products
ILIAS Open Source ILIAS Open Source ILIAS Open Source ILIAS
General steps for coping with IT vulnerabilities
- Users of the affected apps ought to keep up-to-date. When safety holes are recognized, producers are required to repair them rapidly by creating a patch or workaround. If safety patches can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This usually comprises further details about the newest model of the software program in query and the provision of safety patches or efficiency ideas.
- If you will have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to frequently test the desired sources to see if a brand new safety replace is obtainable.
Manufacturer details about updates, patches and workarounds
Here you’ll find some hyperlinks with details about bug reviews, safety fixes and workarounds.
Security Advisory: Gaining Use of PHP Code in ILIAS eLearning LMS earlier than v7.30/v8.11/v9.1 vom 2024-05-22 (23.05.2024)
For extra info, see:
Ilias 7.3.0 launch from 2024-05-14 (22.05.2024)
For extra info, see:
Ilias 8.1.1 launch from 2024-05-14 (22.05.2024)
For extra info, see:
Ilias Release 9.1 as of 2024-05-17 (20.05.2024)
For extra info, see:
Version historical past of this safety alert
This is model 3 of this ILIAS IT safety discover. If additional updates are introduced, this doc can be up to date. You can see the modifications made utilizing the model historical past beneath.
May 20, 2024 – First model
May 22, 2024 – More fastened vulnerabilities and product variations added
May 23, 2024 – Advice from ERNW recorded on PoC
+++ Editorial notice: This doc relies on present BSI information and can be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you’ll find scorching information, present movies and a direct line to the editorial staff.
kns/roj/information.de