We published corrective versions on september 14, 2022:
- 9.5.9: https://github.com/glpi-project/glpi/releases/download/9.5.9/glpi-9.5.9.tgz
- 10.0.3: https://github.com/glpi-project/glpi/releases/download/10.0.3/glpi-10.0.3.tgz
These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).
If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).
We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files. We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.
We invite you to correctly re-install your GLPI as indicated in the documentation:
- from an empty folder
- copy the files from the archive of the latest version
- get your
config/andfiles/directories from the old instance.
Workarounds to deal with RCE urgency (this does not fix SQL injection):
- delete the
vendor/htmlawed/htmlawed/htmLawedTest.phpfile (be careful not to touch thehtmLawed.phpfile which is legitimate). - prevent web access to the
vendor/folder by setting (in the case of Apache for example) an adequate.htaccess.
If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.