See full release notes on verinice.com.
The verinice.TEAM closes a security gap with this. Updating to the new version is strongly recommended for security reasons.
Users of the verinice.PRO server should install the available RPM packages from the customer repository using the known update procedure.
Users of the verinice standalone version will be prompted to install the updated version at startup. If the automatic update mechanism has been disabled by the user, the update can be triggered manually using the following menu item: Help -> Check for Updates
Vulnerability description
A vulnerability in the communication between the client and server components can be used to execute arbitrary code on the server. The prerequisite for exploiting the vulnerability is completed authentication with an account on the verinice.PRO server, with or without admin privileges. Without such an account, the vulnerability cannot be exploited.
- CVE-2021-36981
- Affected Versions: All versions of verinice and verinice.PRO prior to 1.22.2.
verinice uses Java serialization for communication between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework used are vulnerable to exploits that can be used to execute arbitrary code on the server component.
Since the server component is also used in the standalone mode of verinice, the vulnerability could theoretically be used to attack the standalone client as well. In the attack, arbitrary commands can be executed on the same machine, but with the rights and context of the verinice client. This second attack variant has not been verified by us, but as a precaution, we still recommend all users of the standalone client to install the available patch as well.
The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and read information, including all data in the verinice database.
A detailed description of the vulnerability can be found here: verinice.com/cve-2021-36981