ImageMagick vulnerability (CVE-2016-3714, CVE-2016-3718, FSC03839)
ID: FSC03839
Affected Components: Fabasoft Folio
Severity: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Basic Score: 8.4 (High)
Status: Final
First published: 09.05.2016
CVEs: CVE-2016-3714, CVE-2016-3718
Information
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
For further information, please refer to the References section.
Solution
Currently it is possible to deactivate the vulnerable conversions by including the following lines in the <policymap> tag of your policy.xml for ImageMagick:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
Please be aware that adding the above lines will currently lead to an error while converting svg files.
How to apply
Linux
- Add the above mentioned lines to the /etc/fabasoft/magick/policy.xml file.
- Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).
Windows
- Create a new environment variable named MAGICK_CONFIGURE_PATH and point it to a directory which all service users are allowed to access.
- Download the standard policy.xml from the ImageMagick website and save it to this directory (https://www.imagemagick.org/source/policy.xml).
- Edit the file and add the lines mentioned above.
- Restart the Fabasoft Folio web and conversion services in order to ensure that all processes take the new configuration into consideration (a reload is not sufficient).
Hotfix information
The fixed ImageMagick library is shipped with Fabasoft Folio from these versions:
- Fabasoft Folio 2013 UR6 (from 13.0.13.36)
- Fabasoft Folio 2014 UR6 (from 14.0.13.42)
- Fabasoft Folio 2015 UR3 and above
- Fabasoft Folio 2016 UR1 and above
- Fabasoft Folio 2017
- and all higher Fabasoft Folio versions and Update Rollups
References
- CVE - CVE-2016-3714
- CVE - CVE-2016-3715
- CVE - CVE-2016-3716
- CVE - CVE-2016-3717
- CVE - CVE-2016-3718
- ImageTragick
- ImageMagick: Resources listing
Applies to
- All current versions