IWX-CVE-2022-8384 (2022-03-31) ============================== At approximately 0400 Eastern, March 31, 2022, security researchers disclosed a new vulnerability in the InterWorx backup process. A maliciously named file can be placed in user-controlled directories. This file name may be passed to the tar command with insufficient escaping. The tar command issued during the backup process may then execute arbitrary code as a privileged user. At approximately 1700 Eastern, March 31, InterWorx released hotfixes to correct this vulnerability. .. contents:: Affected InterWorx Versions --------------------------- - All InterWorx 6 <= 6.12.2 - All InterWorx 7 <= 7.9.8 Hotfixes Available ------------------ - interworx-hotfix-6.1.26.1577-13 - interworx-hotfix-6.1.26.1626-126 - interworx-hotfix-6.10.1.1856-28 - interworx-hotfix-6.11.1.1929-3 - interworx-hotfix-6.11.2.1931-4 - interworx-hotfix-6.12.0.1943-15 - interworx-hotfix-6.12.1.1964-3 - interworx-hotfix-6.12.2.1984-6 - interworx-hotfix-6.9.0.1810-34 - interworx-hotfix-7.4.1.1851-12 - interworx-hotfix-7.9.3.1969-3 - interworx-hotfix-7.9.6.1987-3 - interworx-hotfix-7.9.7.1991-3 - interworx-hotfix-7.9.8.2025-1 Fixed in Versions ----------------- - 7.10.0 - 6.12.x (TBD) Installation and Verification ----------------------------- On a standard InterWorx installation, hotfixes are automatically applied every 6 hours. To verify if a system has been patched: #. Log in to the server at the CLI as root, either via SSH or from the terminal #. At the CLI, run the following command, and compare the output to the list above: .. code-block:: rpm -q interworx-hotfix #. If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix: .. code-block:: ~iworx/bin/hotfix.pex --install --force #. Check the list, again .. code-block:: rpm -q interworx-hotfix If the hotfix version in the command output is still not one found in the above list, please :doc:`enable Remote Assistance ` and then `open a support ticket with InterWorx support `__.