IWX-CVE-2023-10947 (2023-07-19) =============================== At approximately 17:00 Eastern, July 18, 2023, security researchers disclosed a new vulnerability in the InterWorx Backup Import process. A NodeWorx user with filesystem access can create a malicious false backup file, leading to the possibility of remote code execution as the iworx system user. At approximately 17:10 Eastern, July 19, 2023, InterWorx released hotfixes to correct this vulnerability. Affected InterWorx Versions --------------------------- - All InterWorx 6 <= 6.14.2 - All InterWorx 7 <= 7.13.10 Fixed in Versions ----------------- - 7.13.x (TBD) - 6.14.x (TBD) Hotfixes Available ------------------ - interworx-hotfix-6.10.1.1856-46 - interworx-hotfix-6.12.2.1984-29 - interworx-hotfix-6.13.2.2074-28 - interworx-hotfix-6.14.1.2344-17 - interworx-hotfix-6.14.2.2429-6 - interworx-hotfix-7.10.2.2046-26 - interworx-hotfix-7.13.8.2437-7 - interworx-hotfix-7.13.9.2451-6 Installation and Verification ----------------------------- On a standard InterWorx installation, hotfixes are automatically applied every 6 hours. To verify if a system has been patched: #. Log in to the server at the CLI as root, either via SSH or from the terminal #. At the CLI, run the following command, and compare the output to the list above: .. code-block:: rpm -q interworx-hotfix #. If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix: .. code-block:: ~iworx/bin/hotfix.pex --install --force #. Check the list, again .. code-block:: rpm -q interworx-hotfix If the hotfix version in the command output is still not one found in the above list, please :doc:`enable Remote Assistance ` and then `open a support ticket with InterWorx support `__.