IWX-CVE-2022-8384 (2022-03-31)

At approximately 0400 Eastern, March 31, 2022, security researchers disclosed a new vulnerability in the InterWorx backup process.

A maliciously named file can be placed in user-controlled directories. This file name may be passed to the tar command with insufficient escaping. The tar command issued during the backup process may then execute arbitrary code as a privileged user.

At approximately 1700 Eastern, March 31, InterWorx released hotfixes to correct this vulnerability.

Affected InterWorx Versions

  • All InterWorx 6 <= 6.12.2

  • All InterWorx 7 <= 7.9.8

Hotfixes Available

  • interworx-hotfix-6.1.26.1577-13

  • interworx-hotfix-6.1.26.1626-126

  • interworx-hotfix-6.10.1.1856-28

  • interworx-hotfix-6.11.1.1929-3

  • interworx-hotfix-6.11.2.1931-4

  • interworx-hotfix-6.12.0.1943-15

  • interworx-hotfix-6.12.1.1964-3

  • interworx-hotfix-6.12.2.1984-6

  • interworx-hotfix-6.9.0.1810-34

  • interworx-hotfix-7.4.1.1851-12

  • interworx-hotfix-7.9.3.1969-3

  • interworx-hotfix-7.9.6.1987-3

  • interworx-hotfix-7.9.7.1991-3

  • interworx-hotfix-7.9.8.2025-1

Fixed in Versions

  • 7.10.0

  • 6.12.x (TBD)

Installation and Verification

On a standard InterWorx installation, hotfixes are automatically applied every 6 hours.

To verify if a system has been patched:

  1. Log in to the server at the CLI as root, either via SSH or from the terminal

  2. At the CLI, run the following command, and compare the output to the list above:

    rpm -q interworx-hotfix

  3. If the version listed in the command output is not in the list above, run the following to attempt to install the latest hotfix:

    ~iworx/bin/hotfix.pex --install --force

  4. Check the list, again

    rpm -q interworx-hotfix

If the hotfix version in the command output is still not one found in the above list, please enable Remote Assistance and then open a support ticket with InterWorx support.