OTOBO Release Notes

OTOBO 10.0.16 – a security patch

28 April 2022

Security-related:

• OTOBO admins or attackers impersonating an OTOBO admin could use certain OTOBO features to obtain permissions on the server, too. Those features will only be available after an explicit opt-in by the system administrator in future.
  (More details about the admin vulnerability and how to deal with it below)

Criticality: High

• Fixed an XSS vulnerability in package manager GUI (CVE-2022-0475).

Criticality: Medium (5.6)

Also new:

• Update to Elasticsearch 7.17.3
• Adapting S/MIME functionality to newer OpenSSL versions
• Update of JavaScript libraries
• Duplicate slashes are now merged in called url (PSGI)
• Removed DashboardBackend###0000-ProductNotify
• [Bugfix] CustomerTicketZoom: Corrected display for dynamic fields of type 'Title' with long text
• [Bugfix] CustomerTicketZoom: Corrected a bug which caused an Enter in text fields (e.g. subject) to cancel replies.
• Update of default texts in CustomerDashboard.
• Highlight focused buttons in the customer interface (aditionally to hovered ones).
• [Bugfix] Corrected a bug which caused an error message upon Database Fields reinitialisation.

Please update as soon as possible.

Details about the admin vulnerability and how we deal with it in OTOBO:

In OTRS6 and legacy OTOBO versions there was no rigid separation of OTOBO Admin permissions and rights on the server. Some features explicitly granted access to the server providing the permissions of the executing program (e.g. apache2).

On the vast majority of systems this won't be a serious issue as very often OTOBO Admins have access to the server anyway. However, there will be systems, where the OTOBO Admin should not have such permissions.

In general, a separation of permissions is advisable anyway in order to prevent an attacker impersonating the OTOBO Admin to abuse the server too.

Thus, we decided to treat the specific features as Security Issues, and only provide them with an explicit "opt-in" of the system administrator within the Config.pm in the future.

In order to activate them, copy the following options from Kernel/Config/Defaults.pm to Kernel/Config.pm and activate them:

• Ticket::GenericAgentAllowCustomScriptExecution
• DashboardBackend::AllowCmdOutput

Changes to SysConfig options

With this patch level release, several Javasript libraries have been updated.
They are defined in the SysConfig options "Loader::Agent::CommonJS###000-Framework" and "Loader::Customer::CommonJS###000-Framework".

In case you changed these options manually in the SysConfig (which we do NOT recommend), it will not be possible to automatically update them.

In this case, please note down your changes, reset your settings, run the update and manually adapt the option again, if needed.