ImageMagick vulnerability (CVE-2016-3714 - CVE-2016-3718)

Last update: 20 February 2018

Information

CVE-2016-3714 - CVE-2016-3718
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

For further information, please refer to the References section.

Fabasoft Products

Due to the fact that ImageMagick is used in multiple conversions all current versions of Fabasoft Folio and the Fabasoft eGov-Suite may be vulnerable.

Solution

Currently it is possible to deactivate the vulnerable conversions by including the following lines in the <policymap> tag of your policy.xml for ImageMagick:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />

Please be aware that adding the above lines will currently lead to an error while converting svg files.

How to apply

Linux
  • Add the above mentioned lines to the /etc/fabasoft/magick/policy.xml file.
  • Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).
Windows
  • Create a new environment variable named MAGICK_CONFIGURE_PATH and point it to a directory which all service users are allowed to access.
  • Download the standard policy.xml from the ImageMagick website and save it to this directory (https://www.imagemagick.org/source/policy.xml).
  • Edit the file and add the lines mentioned above.
  • Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).

References

Applies to

  • All current versions

Further questions?