In June we published a security advisory in which we mentioned fixing 3 CSRF vulnerabilities (CTR-1643, CTR-1644 and CTR-1645). We stated that these vulnerabilities were fixed in 2.235.1.2 and the fixed line 2.190.31.0.2 rev6. In fact, those releases contained those fixes as notified.
However, these vulnerabilities should have also been fixed in the subsequent releases of the 2.222 fixed line, but were not included due to a newly discovered issue with our release process . Specifically, the following releases should have included these fixes, but did not:
2.222.41.0.1
2.222.42.0.1
2.222.42.0.2
Upon discovering this omission, we immediately analysed the impact of this to our customers. We have confirmed that only these 3 issues (CTR-1643, CTR-1644 and CTR-1645) were omitted from those releases
We are producing a new security incremental (2.222.42.0.2 rev2) to address these vulnerabilities and we strongly recommend customers update to this version. We are treating this as a major incident and are already taking actions to fix the identified issue in our release process so that this cannot happen again.
Please accept our sincere apologies for this omission.
CSRF in Miscellaneous Configuration Container Configuration
CTR-1643
We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.
CSRF in Client Master Manage > Push Configuration
CTR-1644
We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.
CSRF in Shared Agent Configuration
CTR-1645
We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.