Security Advisory sugarcrm-sa-2016-008

Security Advisory

sugarcrm-sa-2016-008


 

Advisory ID: http://www.sugarcrm.com/security/sugarcrm-sa-2016-008

Revision: 1.0

Last updated: 2016-07-20

Status: Final (Customer disclosure)


 

Summary

 

Risk level: Critical

Vulnerability: Object/command injection

 

Description

 

Missing proper input validation allows authenticated and unauthenticated users to inject objects resulting in arbitrary code execution where PHP serialized user input values are accepted. By carefully crafting PHP serialized content containing objects as part of a request, arbitrary code can be executed.

 

The fix from sugarcrm-sa-2016-001 which addressed this issue before was missing a specific use which is addressed in below releases.

 

Affected Products

 

The list of affected products reflect all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below we strongly advise to upgrade immediately to one of the supported versions.

 

Product

Fixed release

SugarCRM 7.7

Professional, Corporate, Enterprise, Ultimate

7.7.1.0

SugarCRM 7.6

Professional, Corporate, Enterprise, Ultimate

7.6.2.2

SugarCRM 7.5

Professional, Corporate, Enterprise, Ultimate

7.5.2.5

SugarCRM 6.7

Professional, Corporate, Enterprise, Ultimate

6.7.13

SugarCRM 6.5

Community, Professional, Corporate, Enterprise, Ultimate

6.5.24

 

Upgrades

 

On-Site customers
It is strongly recommended to upgrade the affected products to the reported fixed release version. SugarCRM maintains different releases of its products each with specific upgrade paths. Consult the "Installation and Upgrade Guide" for the appropriate guidance to patch your instance. Contact support for any further inquiries regarding upgrades.

 

On-Demand customers
Customers hosted on SugarCRM On-Demand will receive an upgrade automatically.


 

Publication History

 

2016-07-20

Update disclosure

2016-05-26

Internal disclosure

 

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.

 

Credits


This vulnerability has been responsibly disclosed by Egidio Romano (KIS-2016-07) and has been fixed by the SugarCRM Security Team.