(UPDATED) Critical Remote Command Execution Vulnerability in Joomla

ITS Advisory Number: 
2015-154 (UPDATED)
Date(s) Issued: 
Tuesday, December 15, 2015
Date Updated: 
Thursday, December 24, 2015
Subject: 
(UPDATED) Critical Remote Command Execution Vulnerability in Joomla
Overview: 

ORIGINAL OVERVIEW:

The Joomla security team has released a critical patch that affects all versions from 1.5.0 to 3.4.5. Joomla is a popular open-source Content Management System (CMS). Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks. There have been reports of this vulnerability being actively exploited in the wild and a proof of concept (POC) has been made available and is confirmed to be valid.

December 24 UPDATED OVERVIEW:

The patch that Joomla released on December 15th has been found to introduce another vulnerability. Joomla has released patch 3.4.7 to address this vulnerability along with one minor vulnerability. 

Systems Affected: 
  • Joomla CMS versions 1.5.0 through 3.4.5

December 24 UPDATED SYSTEM(S) AFFECTED:

  • Joomla CMS Versions 1.5.0 through 3.4.6
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

ORIGINAL DESCRIPTION:

The Joomla security team released a critical patch that affects all versions from 1.5.0 through 3.4.5.

Browser information is not filtered properly while saving the session values in the database. This leads to a remote code execution vulnerability. Indicators of Compromise (IoCs) are located within the Sucuri link below. 

December 24 UPDATED DESCRIPTION:

Version 3.4.7 was released to address two reported security vulnerabilities. This includes security hardening of the MySQLi driver to help prevent object injection attacks.

Since the recent update though, it became clear that the root cause of the original remote code execution vulnerability was a bug in PHP. This bug was patched in all versions of PHP 7 as well as PHP versions 5.4.45, 5.5.29 and 5.6.13. The only Joomla sites that are affected by this vulnerability are the ones with vulnerable versions of PHP. 

Actions: 
  • Update vulnerable systems running Joomla immediately after appropriate testing.
  • Review your logs looking for Indicators of Compromise (IoCs)
  • If a server is suspected of being compromised, please contact the CSOC.
  • If you are running older, unsupported (EOL) versions of Joomla, there are hotfixes available. Please see the references link below for details.