Enfold Server / Plone security notice

Critical Security Notice: Affects Enfold Server 4.0 – 4.5 / Plone 3.0.x – 3.3.

A vulnerability has been found in the Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) server implementation that allows any file readable by the server to be read by clients and any file removable by the server to be removed.

Who is affected?

This vulnerability affects any system running ZEO in a non-default configuration. ZEO server listens only on the localhost interface by default but if the ZEO server is listening on another interface, than an upgrade is recommended. Open up the zeo.conf file and determine what IP the ZEO server is listening.

NOTE: Only trusted machines should be allowed to connect to a ZEO server port. Never expose a ZEO server to the public interface.

Enfold's hosted and support contract clients that require additional assistance may contact our support department at [email protected].

Download the Windows only patch installer

Patch works with Plone 3.0.x – 3.3 or Enfold Server 4.0 - 4.5
Patch has not been tested with Plone 2.0.x - 2.5.x or Enfold Server 3.x or older
See also source reference documentation at bottom of this message

Instructions to apply patch:

Back up
Install Patch
Start Zope client in Debug mode
If Zope does not error out Patch is successful
After patch install a prompt to "reboot server or no do not reboot your server" is displayed.
Select the option not to restart your server

If option not to reboot the server is selected, stop and restart the ZEO server for patch to take effect

Reference Documentation:

CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers

CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers