JPCERT-AT-2021-0047
JPCERT/CC
2021-10-20(Initial)
2021-12-17(Update)
Six Apart Ltd.
MOVABLE TYPE 7 r.5003 (v7.8.2), v6.8.3: SECURITY UPDATE
https://movabletype.org/news/2021/10/mt-782-683-released.html
Users of the affected Movable Type are recommended to apply update as soon as possible by referring to the information provided by Six Apart Ltd..
- Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
- Movable Type 6.8.4 and earlier (Movable Type 6 Series)
- Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
- Movable Type Premium 1.48 and earlier
- Movable Type Premium Advanced 1.48 and earlier
According to the developer, all versions of Movable Type 4.0 or later,including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.
- Movable Type 7 r.5005 (Movable Type 7 Series)
- Movable Type 6.8.5 (Movable Type 6 Series)
- Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
- Movable Type Premium 1.49
- Movable Type Premium Advanced 1.49
Six Apart Ltd.
MOVABLE TYPE 7 r.5003 (v7.8.2), v6.8.3: SECURITY UPDATE
https://movabletype.org/news/2021/10/mt-782-683-released.html
Japan Vulnerability Notes JVN#41119755
Movable Type XMLRPC API vulnerable to OS command injection
https://jvn.jp/en/jp/JVN41119755/
If you have any information regarding this alert, please contact JPCERT/CC.
2021-11-05 Updated "I. Overview"
2021-11-09 Updated "I. Overview"
2021-11-25 Updated "I. Overview", revised information updated on 2021-11-09
2021-12-16 Updated "I. Overview", "II. Affected Versions", "III. Solution" and "V. References"
2021-12-17 Updated "I. Overview"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2021-10-20(Initial)
2021-12-17(Update)
I. Overview
On October 20, 2021, Six Apart Ltd. released information on OS command injection vulnerability (CVE-2021-20837) in Movable Type XMLRPC API.A remote attacker may be able to execute arbitrary OS commands by exploiting the vulnerability.Six Apart Ltd.
MOVABLE TYPE 7 r.5003 (v7.8.2), v6.8.3: SECURITY UPDATE
https://movabletype.org/news/2021/10/mt-782-683-released.html
Users of the affected Movable Type are recommended to apply update as soon as possible by referring to the information provided by Six Apart Ltd..
Update: November 5, 2021 Update
JPCERT/CC confirmed that a Proof-of-Concept (PoC) code that appears to exploit this vulnerability has already been made public on October 26, 2021.
In addition, according to LAC Co., Ltd., scans to check for the vulnerability have been observed since October 27. Also, attacks to attempt to place suspicious files in a vulnerable environment were observed on November 1, and some attacks have been confirmed to be successful.
Users of the affected versions are advised to consider updating as soon as possible, and also to check if the attack that exploits the vulnerability has been made to the system by referring to the information provided by LAC Co., Ltd.
LAC Co., Ltd.
[Alert] Observed malicious attacks targeting Movable Type vulnerability. Take immediate measures! (Japanese)
https://www.lac.co.jp/lacwatch/alert/20211102_002780.html
In addition, according to LAC Co., Ltd., scans to check for the vulnerability have been observed since October 27. Also, attacks to attempt to place suspicious files in a vulnerable environment were observed on November 1, and some attacks have been confirmed to be successful.
Users of the affected versions are advised to consider updating as soon as possible, and also to check if the attack that exploits the vulnerability has been made to the system by referring to the information provided by LAC Co., Ltd.
LAC Co., Ltd.
[Alert] Observed malicious attacks targeting Movable Type vulnerability. Take immediate measures! (Japanese)
https://www.lac.co.jp/lacwatch/alert/20211102_002780.html
Update: November 9, 2021 Update
On October 22, 2021, Alfasado Inc. released the patch for PowerCMS that addresses the vulnerability in XMLRPC API.
PowerCMS is a product based on Movable Type, which is possibly affected by the similar vulnerability. Therefore, it is recommended to check the information published by Alfasado Inc. and apply countermeasures promptly.
Alfasado Inc.
Patch for PowerCMS 5.19/4.49/3.295 (Countermeasures for OS command injection vulnerability in XMLRPC API) (Japanese)
https://www.powercms.jp/news/release-patch-xmlrpc-api-202110.html
PowerCMS is a product based on Movable Type, which is possibly affected by the similar vulnerability. Therefore, it is recommended to check the information published by Alfasado Inc. and apply countermeasures promptly.
Alfasado Inc.
Patch for PowerCMS 5.19/4.49/3.295 (Countermeasures for OS command injection vulnerability in XMLRPC API) (Japanese)
https://www.powercms.jp/news/release-patch-xmlrpc-api-202110.html
Update: November 25, 2021 Update
The vulnerability in PowerCMS XMLRPC API, that was addressed by Alfasado Inc. on October 22, 2021, has been assigned CVE-2021-20850.
Japan Vulnerability Notes JVN#17645965
PowerCMS XMLRPC API vulnerable to OS command injection
https://jvn.jp/en/jp/JVN17645965/
Japan Vulnerability Notes JVN#17645965
PowerCMS XMLRPC API vulnerable to OS command injection
https://jvn.jp/en/jp/JVN17645965/
Update: December 16, 2021 Update
On December 16, 2021, Six Apart Ltd. announced that it was confirmed that the versions released on October 20, 2021 were insufficiently fixed, and released versions that addresses the vulnerability.
Six Apart Ltd.
Movable Type 7 r.5005 (v7.9.1), v6.8.5: SECURITY UPDATE
https://movabletype.org/news/2021/12/mt-791-685-released.html
Six Apart Ltd.
Movable Type 7 r.5005 (v7.9.1), v6.8.5: SECURITY UPDATE
https://movabletype.org/news/2021/12/mt-791-685-released.html
Update: December 17, 2021 Update
On December 16, 2021, Alfasado Inc. released a patch file that provides additional protection for the vulnerability as the file released on October 22 was insufficient.
Alfasado Inc.
A patch file for OS command injection vulnerability in XMLRPC API (JVN#17645965) (Japanese)
https://www.powercms.jp/news/release-fix-xmlrpc-api-202112.html
Alfasado Inc.
A patch file for OS command injection vulnerability in XMLRPC API (JVN#17645965) (Japanese)
https://www.powercms.jp/news/release-fix-xmlrpc-api-202112.html
II. Affected Versions
Affected versions of Movable Type are as follows:- Movable Type 7 r.5004 and earlier (Movable Type 7 Series)
- Movable Type 6.8.4 and earlier (Movable Type 6 Series)
- Movable Type Advanced 7 r.5004 and earlier (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.4 and earlier (Movable Type Advanced 6 Series)
- Movable Type Premium 1.48 and earlier
- Movable Type Premium Advanced 1.48 and earlier
Update: December 16, 2021 Update
Updated the version information affected by the vulnerability(CVE-2021-20837).
According to the developer, all versions of Movable Type 4.0 or later,including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.
III. Solution
Six Apart Ltd. has released versions that address the vulnerability.Please consider updating as soon as possible.- Movable Type 7 r.5005 (Movable Type 7 Series)
- Movable Type 6.8.5 (Movable Type 6 Series)
- Movable Type Advanced 7 r.5005 (Movable Type Advanced 7 Series)
- Movable Type Advanced 6.8.5 (Movable Type Advanced 6 Series)
- Movable Type Premium 1.49
- Movable Type Premium Advanced 1.49
Update: December 16, 2021 Update
Updated the version information that address the vulnerability(CVE-2021-20837).
IV. Workarounds
In case it is difficult to take measures against this vulnerability soon, Six Apart Ltd. has provided information on workarounds to reduce the impact of attacks that exploit the vulnerability. For more details,please check the information provided by Six Apart Ltd..V. References
Six Apart Ltd.
MOVABLE TYPE 7 r.5003 (v7.8.2), v6.8.3: SECURITY UPDATE
https://movabletype.org/news/2021/10/mt-782-683-released.html
Japan Vulnerability Notes JVN#41119755
Movable Type XMLRPC API vulnerable to OS command injection
https://jvn.jp/en/jp/JVN41119755/
Update: December 16, 2021 Update
Six Apart Ltd.
Movable Type 7 r.5005 (v7.9.1), v6.8.5: SECURITY UPDATE
https://movabletype.org/news/2021/12/mt-791-685-released.html
Movable Type 7 r.5005 (v7.9.1), v6.8.5: SECURITY UPDATE
https://movabletype.org/news/2021/12/mt-791-685-released.html
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2021-10-20 First edition2021-11-05 Updated "I. Overview"
2021-11-09 Updated "I. Overview"
2021-11-25 Updated "I. Overview", revised information updated on 2021-11-09
2021-12-16 Updated "I. Overview", "II. Affected Versions", "III. Solution" and "V. References"
2021-12-17 Updated "I. Overview"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/