ImageMagick vulnerability (CVE-2016-3714, CVE-2016-3718, FSC03839)

Last update: 25 November 2020

ID: FSC03839

Affected Components: Fabasoft Folio

Severity: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.4 (High)

Status: Final

First published: 09.05.2016

CVEs: CVE-2016-3714CVE-2016-3718

Information

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

For further information, please refer to the References section.

Solution

Currently it is possible to deactivate the vulnerable conversions by including the following lines in the <policymap> tag of your policy.xml for ImageMagick:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />

Please be aware that adding the above lines will currently lead to an error while converting svg files.

How to apply

Linux
  • Add the above mentioned lines to the /etc/fabasoft/magick/policy.xml file.
  • Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).
Windows
  • Create a new environment variable named MAGICK_CONFIGURE_PATH and point it to a directory which all service users are allowed to access.
  • Download the standard policy.xml from the ImageMagick website and save it to this directory (https://www.imagemagick.org/source/policy.xml).
  • Edit the file and add the lines mentioned above.
  • Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).

Hotfix information

The fixed ImageMagick library is shipped with Fabasoft Folio from these versions:

  • Fabasoft Folio 2013 UR6 (from 13.0.13.36)
  • Fabasoft Folio 2014 UR6 (from 14.0.13.42)
  • Fabasoft Folio 2015 UR3 and above
  • Fabasoft Folio 2016 UR1 and above
  • Fabasoft Folio 2017
  • and all higher Fabasoft Folio versions and Update Rollups

 

References

Applies to

  • All current versions