IceWarp Security Update for EPOS

IceWarp has released a new security update to address two medium-severity vulnerabilities found during our regular security audits. One of the vulnerabilities could allow an attacker to perform a cross-site scripting attack, while the other vulnerability may allow arbitrary file read from the source system. Both vulnerabilities affect the WebClient interface.

It is strongly recommended to update your IceWarp instance as soon as possible to meet the following versions:

• IceWarp Epos Update 2: Upgrade to version 14.2.0.12 or newer.
• IceWarp Epos Update 1: Upgrade to version 14.1.0.20 or newer.

To our knowledge, no customers have been affected by the vulnerability to date; however, we strongly recommend using the latest versions.

If you have any reason to downgrade your IceWarp instance, follow these instructions:

• How to downgrade the current version to the previous main version

If you are performing the update yourself, be sure to back up the entire server and update versions gradually, as described in our articles:

• Upgrade to EPOS from previous versions on Linux
• Upgrade to EPOS from previous versions on Windows

If you have any hesitation about installing it yourself, our Support team is here to guide you through the process. Don’t hesitate to get in touch.

DOWNLOAD BUILDS

• EPOS Update 2 (14.2.0.12) on RHEL9, RHEL8, and Windows + remote admin console
• EPOS Update 1 (14.1.0.20) on RHEL9, RHEL8, RHEL7 and Windows + remote admin console

FREQUENTLY ASKED QUESTIONS (FAQ)

• What happened?
  As part of our routine penetration testing, we received a report highlighting a medium-severity vulnerabilities. One of the vulnerabilities could allow an attacker to perform a cross-site scripting attack, while another vulnerability may allow arbitrary file read from the source system.
• Who was affected?
  Both Cloud and On-premises instances could be affected; however, there has been no actual incident. The patch has already been deployed in the Cloud, and the On-premises version is available for download above.
• Which IceWarp versions are affected?
  The issue affects versions 14.1.0 and possibly earlier, including the latest release.
• Does the vulnerability affect Windows or Linux?
  The vulnerability affects both operating systems.
• Was there any recorded case?
  No, our clients' security has not been compromised.
• What corrective measures have been taken?
  A security patch was prepared and distributed to our partners and clients, along with installation instructions for the new version (On-premises). Regarding the Cloud, this update has already been implemented across all instances.
• How will the patch be distributed?
  The patch will be distributed via a KB link attached to an email; recipients will not need to locate any additional files or information. All required installation instructions and supporting details will be provided in the KB.
• How do you plan to prevent such incidents in the future?
  Such incidents cannot be completely avoided; however, we will continue to conduct regular security audits and implement more frequent updates and patches to proactively address potential vulnerabilities.