IWX-CVE-2022-8338 (2022-03-22)¶
At approximately 10:00 Eastern, March 22, 2022, security researchers disclosed a new vulnerability in the InterWorx backup and restore process. A specially altered backup, combined with a social engineering attack, could allow SiteWorx users to escalate privileges and execute arbitrary code as another user.
By 19:03 March 22, InterWorx crafted and released a hotfix to prevent the attack for all currently-supported versions of InterWorx. Due to the nature of the vulnerability, additional hotfixes were made and released for any version of InterWorx that had more than 5 active servers, making the fix available to 99.35% of all InterWorx installations by 21:24 March 22.
Contents
Affected InterWorx Versions¶
All InterWorx 6 <= 6.12.2
All InterWorx 7 <= 7.9.7
Fixed in Versions¶
7.9.8
6.12.x (TBD)
Hotfixes Available¶
interworx-hotfix-6.1.26.1577-12
interworx-hotfix-6.1.26.1626-125
interworx-hotfix-6.10.1.1856-27
interworx-hotfix-6.11.1.1929-2
interworx-hotfix-6.11.2.1931-3
interworx-hotfix-6.12.0.1943-14
interworx-hotfix-6.12.1.1964-2
interworx-hotfix-6.12.2.1984-5
interworx-hotfix-6.9.0.1810-33
interworx-hotfix-7.9.3.1969-2
interworx-hotfix-7.4.1-1851-11
interworx-hotfix-7.9.6.1987-2
interworx-hotfix-7.9.7.1991-2
Installation and Verification¶
On a standard InterWorx installation, hotfixes are automatically applied every 6 hours.
To verify if a system has been patched:
Log in to the server at the CLI as root, either via SSH or from the terminal
At the CLI, run the following command, and compare the output to the list above:
rpm -q interworx-hotfix
If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix:
~iworx/bin/hotfix.pex --install --force
Check the list, again
rpm -q interworx-hotfix
If the hotfix version in the command output is still not one found in the above list, please enable Remote Assistance and then open a support ticket with InterWorx support.