Impact
If a standard installation of openEQUELLA has overly permissive file permissions on the manager
directory, all files within that directory (and sub directories) are publicly accessible. Further, in customised cases (.e.g. where oEQ is manually run as a JAR via java -jar
) it is possible to access files and directories within the working directory. (There are a number of files within the manager
directory which contain sensitive information - credentials and possible general configuration.)
Patches
There is a patch available for all versions of oEQ starting at 6.6. Please ensure you upgrade to the latest version, or at least:
- 6.6r37
- 2018.2r52
- 2019.1.7
- 2019.2.5
- 2020.1.5
Version 2020.2.0 when released will include the fix.
Workarounds
Ensure all files within the manager directory (or under custom situations, the working directory) have permissions such that the user which the openEQUELLA process is running as does not have access.
Alternatively, names of known files and directories could be blocked by configuration of any fronting reverse proxies or load balancers. (Specific configuration will depend on each instances unique configuration.)
For more information
If you have any questions or comments about this advisory:
Impact
If a standard installation of openEQUELLA has overly permissive file permissions on the
manager
directory, all files within that directory (and sub directories) are publicly accessible. Further, in customised cases (.e.g. where oEQ is manually run as a JAR viajava -jar
) it is possible to access files and directories within the working directory. (There are a number of files within themanager
directory which contain sensitive information - credentials and possible general configuration.)Patches
There is a patch available for all versions of oEQ starting at 6.6. Please ensure you upgrade to the latest version, or at least:
Version 2020.2.0 when released will include the fix.
Workarounds
Ensure all files within the manager directory (or under custom situations, the working directory) have permissions such that the user which the openEQUELLA process is running as does not have access.
Alternatively, names of known files and directories could be blocked by configuration of any fronting reverse proxies or load balancers. (Specific configuration will depend on each instances unique configuration.)
For more information
If you have any questions or comments about this advisory: