IWX-CVE-2022-8338 (2022-03-22) ============================== At approximately 10:00 Eastern, March 22, 2022, security researchers disclosed a new vulnerability in the InterWorx backup and restore process. A specially altered backup, combined with a social engineering attack, could allow SiteWorx users to escalate privileges and execute arbitrary code as another user. By 19:03 March 22, InterWorx crafted and released a hotfix to prevent the attack for all currently-supported versions of InterWorx. Due to the nature of the vulnerability, additional hotfixes were made and released for any version of InterWorx that had more than 5 active servers, making the fix available to 99.35% of all InterWorx installations by 21:24 March 22. .. contents:: Affected InterWorx Versions --------------------------- - All InterWorx 6 <= 6.12.2 - All InterWorx 7 <= 7.9.7 Fixed in Versions ----------------- - 7.9.8 - 6.12.x (TBD) Hotfixes Available ------------------ - interworx-hotfix-6.1.26.1577-12 - interworx-hotfix-6.1.26.1626-125 - interworx-hotfix-6.10.1.1856-27 - interworx-hotfix-6.11.1.1929-2 - interworx-hotfix-6.11.2.1931-3 - interworx-hotfix-6.12.0.1943-14 - interworx-hotfix-6.12.1.1964-2 - interworx-hotfix-6.12.2.1984-5 - interworx-hotfix-6.9.0.1810-33 - interworx-hotfix-7.9.3.1969-2 - interworx-hotfix-7.4.1-1851-11 - interworx-hotfix-7.9.6.1987-2 - interworx-hotfix-7.9.7.1991-2 Installation and Verification ----------------------------- On a standard InterWorx installation, hotfixes are automatically applied every 6 hours. To verify if a system has been patched: #. Log in to the server at the CLI as root, either via SSH or from the terminal #. At the CLI, run the following command, and compare the output to the list above: .. code-block:: rpm -q interworx-hotfix #. If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix: .. code-block:: ~iworx/bin/hotfix.pex --install --force #. Check the list, again .. code-block:: rpm -q interworx-hotfix If the hotfix version in the command output is still not one found in the above list, please :doc:`enable Remote Assistance ` and then `open a support ticket with InterWorx support `__.