JPCERT-AT-2016-0019 JPCERT/CC 2016-04-26(Initial) 2016-05-06(Update) <<< JPCERT/CC Alert 2016-04-26 >>> Alert on vulnerability in Keitai Kit for Movable Type https://www.jpcert.or.jp/english/at/2016/at160019.html I. Overview Keitai Kit for Movable Type provided by ideaman's Inc. contains an OS command injection vulnerability (CVE-2016-1204). Leveraging this vulnerability may result in arbitrary OS command being executed on the server where thesoftware runs. For more details on the vulnerability and its impact, please refer to the following information. Japan Vulnerability Notes JVNVU#92116866 OS command injection vulnerability in Keitai Kit for Movable Type (Japanese) https://jvn.jp/vu/JVNVU92116866/ There is information that attacks leveraging this vulnerability are already observed. II. Affected Software The following product and the versions are affected by this vulnerability. ideaman's Inc. has provided information for users of Keitai Kit for Movable Type, including a plugin to confirm whether their product is affected by this vulnerability. - Keitai Kit for Movable Type - versions 1.35 through 1.641 Also, other products that contain or use Keitai Kit for Movable Type may be affected by this vulnerability. III. Solution ideaman's Inc. has provided an updated version and a patch that address this vulnerability. Please consider applying the update or patch after thorough testing. - Keitai Kit for Movable Type 1.65 Also, vendors providing products that contain or use Keitai Kit for Movable Type may provide information on fixed versions. We recommend periodically checking information provided by such vendors. ** Update: May 6, 2016 Update **************************************** According to ideaman's Inc., it is recommended to update to the latest version 1.65 rather than applying the patch. ideaman's Inc. [2016-04-22] We now provide emergency patch (Update: 4/28)(Japanese) https://www.ideamans.com/release/20160422/ ************************************************************************ IV. References ideaman's Inc. [Important] We now provide Keitai Kit for Movable Type 1.65 (Japanese) https://www.ideamans.com/release/20160423/ ** Update: May 6, 2016 Update **************************************** ideaman's Inc. [Important] We now provide a tool for verifying malicious file leveraging the vulnerability of Keitai Kit for Movable Type (Japanese) https://www.ideamans.com/release/20160428/ Inquiry counter regarding license of Keitai Kit for Movable Type (Japanese) https://www.ideamans.com/release/20160502/ ********************************************************************* SKYARC Co., Ltd, [Critical] Information on emergency patch file for Keitai Kit (Japanese) https://www.skyarc.co.jp/news/products/20160422.html Six Apart, Ltd. Keitai Kit for Movable Type 1.65 is now being provided (Japanese) http://www.sixapart.jp/movabletype/news/2016/04/23-2039.html If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2016-04-26 First edition 2016-05-06 Updated "Solution" and "References" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/