IceWarp is releasing a security update to address several vulnerabilities found during our regular security audits. These vulnerabilities could allow an attacker to conduct a cross-site scripting attack on WebClient users or enable remote file uploads to the IceWarp Server.
We strongly urge all customers to update their IceWarp instance as soon as possible:
- Users running IceWarp Deep Castle or older versions should upgrade to version 13.0.3.12 or later
- Users with the first generation of IceWarp Epos should upgrade to version 14.0.0.17 or later
- Users currently running IceWarp Epos Update 1 should upgrade to version 14.1.0.7 or later
To our knowledge, no customers have been impacted by these vulnerabilities thus far.
The addressed vulnerabilities are below.
- Fixed the possible XSS injection with malicious emails containing HTML tag. No command is executed if the user just opens the email. However, if the email is forwarded or replied to, the user will see a pop-up with the ‘command’. This means that the command defined in the HTML tag of the email was executed.
- RCP protocol vulnerabilities.
- Checks for authentication were added
- Existing authentications were reviewed
- Deprecated RCP commands were removed
- The code style for authentication checks was unified and refactored
Due to the security update, we also had to fix the Remote Administration Console protocol, which affected the compatibility. Please see Remote Administration Console Update to learn more.
We strongly recommend using the latest versions; however, if you have a reason to downgrade the IceWarp Server, see How to downgrade IceWarp Server to the pre-patched version.
If you need any help or consultation, feel free to contact our support.
Downloads
Deep Castle (13.0.3.12) on RHEL7 and Windows
EPOS (14.0.0.17) on RHEL7, RHEL8, RHEL9 and Windows
EPOS Update 1 (14.1.0.7) on RHEL7, RHEL8, RHEL9 and Windows
Comments
0 comments
Article is closed for comments.