OTOBO Release Notes
OTOBO 10.1.3 – a security patch
28 April 2022
Security-related:
- OTOBO admins or attackers impersonating an OTOBO admin could use certain OTOBO features to obtain permissions on the server, too. Those features will only be available after an explicit opt-in by the system administrator in future.
(More details about the admin vulnerability and how to deal with it below)
Criticality: High
- Fixed an XSS vulnerability in package manager GUI (CVE-2022-0475).
Criticality: Medium (5.6)
Also new:
- Update to Elasticsearch 7.17.3
- Adapting S/MIME functionality to newer OpenSSL versions
- Update of JavaScript libraries
- Enhanced CustomerTicketCategories
Added Type, Service and State to TicketZoom and TicketList, added an option to maintain translations in the frontend, templates and links. - Support for CustomerIDRaw in GenericInterface TicketSearch
Please update as soon as possible.
Details about the admin vulnerability and how we deal with it in OTOBO:
In OTRS6 and legacy OTOBO versions there was no rigid separation of OTOBO Admin permissions and rights on the server. Some features explicitly granted access to the server providing the permissions of the executing program (e.g. apache2).
On the vast majority of systems this won't be a serious issue as very often OTOBO Admins have access to the server anyway. However, there will be systems, where the OTOBO Admin should not have such permissions.
In general, a separation of permissions is advisable anyway in order to prevent an attacker impersonating the OTOBO Admin to abuse the server too.
Thus, we decided to treat the specific features as Security Issues, and only provide them with an explicit "opt-in" of the system administrator within the Config.pm in the future.
In order to activate them, copy the following options from Kernel/Config/Defaults.pm to Kernel/Config.pm and activate them:
- Ticket::GenericAgentAllowCustomScriptExecution
- DashboardBackend::AllowCmdOutput
Changes to SysConfig options
JavaScript
With this patch level release, several Javasript libraries have been updated.
They are defined in the SysConfig options "Loader::Agent::CommonJS###000-Framework" and "Loader::Customer::CommonJS###000-Framework".
In case you changed these options manually in the SysConfig (which we do NOT recommend), it will not be possible to automatically update them.
In this case, please note down your changes, reset your settings, run the update and manually adapt the option again, if needed.
CustomerTicketCategories
With OTOBO 10.1.2 we introduced the possibility to define State and Service in CustomerTicketCategories.
So far, translation of those elements was hardcoded. We changed this and implemented a general configuration functionality.
In case you are using one of the categories and need individual translations, please expand the relevant SysConfig option (e.g. "Ticket::Frontend::CustomerTicketCategories###State") with the following attribute: "Translate"->"1".