Recently, a series of security vulnerabilities were reported that affect Carousel 7: CVE-2018-14573, CVE-2018-18929, CVE-2018-18930, and CVE-2018-18931.
In this article, we will review what customers can do to immediately mitigate the vulnerability on their servers, and announce a schedule for patch releases that implement these mitigations. This solution will disable a common workflow of uploading bulletin content directly. A suggested workaround, until the patches are released, is to upload the content as media and use that media in a template content block.
Customers running the affected Carousel versions above are impacted if they have not changed the initial admin account password.
In this case, it is possible for an unauthorized user to log in using these credentials and upload a specially crafted bulletin package that can run arbitrary commands on the Carousel server.
If you are running an affected version of Carousel, these steps must be performed on your Carousel server immediately.
This next step is optional, but recommended if you have access to modify configuration files on your server and are comfortable doing so.
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
After adding the code above, the contents of the file should look similar to the screenshot below:
The following versions of Carousel contain resolutions to the CVEs listed above.
These releases will be available to all users the week of Feb 11th, 2019. This post will be updated when releases are available.