These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted).
If you are not on the latest version 9.5.9 or 10.0.3, you must update your instances according to the recommended method (from an empty folder, without overwriting existing GLPI files).
We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive over the existing folders and files. We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.
We invite you to correctly re-install your GLPI as indicated in the documentation:
from an empty folder
copy the files from the archive of the latest version
get your config/ and files/ directories from the old instance.
Workarounds to deal with RCE urgency (this does not fix SQL injection):
delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file which is legitimate).
prevent web access to the vendor/ folder by setting (in the case of Apache for example) an adequate .htaccess.
If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.
A newly revealed critical vulnerability impacting Apache Log4j was disclosed and registered as CVE-2021-44228 with the highest severity rating. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. By exploiting this vulnerability, a remote attacker could take control of the affected system.
We would like to assure all users that GLPI core and its plugins, being written in PHP and not using Log4j, are not affected by the Log4Shell vulnerability.
Exploiting this vulnerability requires a Java Virtual Machine and the org.apache.logging.log4j.core.lookup.JndiLookup Java class in a vulnerable version. None of them are included or used in GLPI distributions.
We can also confirm that:
GLPI Android Agent (writen in Java), doesn’t use Log4j library, and thus is not affected by the Log4Shell vulnerability
GLPI Agent (writen in Perl), is not affected by the Log4Shell vulnerability
Warning: this does not prevent layers/tools potentially upstream of GLPI (reverse-proxy, firewall, etc.), or connected to GLPI, which we are not aware of in your context, from being potentially impacted.
For example, if you have a Metabase server connected to GLPI you should note that Metabase (<0.41.4) is affected by Log4j vulnerability, and you should update it ASAP!
Procsi is an Information System Integrator and Operator. It is a small, strong structure started by a group of experienced professionals, with references from small to large companies, operating in fields:
AUDIT & CONSULTING: IS strategy, security, project management, ITSM; IT MANAGEMENT: management of computers, servers, networks, telephony; INTEGRATION: business software, ITIL tools, processes; TELEPHONY: network infrastructure, VoIP network security, SBC.
We are proud that GLPI ITSM solution is becoming more and more represented all over the world and GLPI Network (our support offer for on-premises – get your IT Infrastructure secured) subscription service will be available for more customers through our new partners.
Our large partnership network is always open for new collaborations. If you are interested in representing one of our products in your country, get in touch with us: click here.
Being a partner means having an a direct access to the Teclib´s technical database, new releases, official support and many other tools which will help you to gain more customers and increase reputation on the market. Find out all benefits of being a partner sending us an email:click here.
Formcreator plugin for GLPI is a plugin which allows to create custom forms of easy access. Using Formcreator in GLPI you can offer your users alternative way of ticket creation. All forms are completely translatable and wide selection of fields types is available. Today we are happy to announce the release of Formcreator plugin version 2.12.0 beta:
Meet the new feature: translatable forms! Now you can translate any form to any language without having to duplicate it. We have prepared the video to showcase the feature:
If you use anonymous forms, the plugin detects the language of the browser and attempts to use the suitable translation (if available).