Impact
Using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker.
The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users.
Patches
The problem is fixed in version 15.3.18, 15.5.3 and 16.0. It is advised to upgrade to version 16.0.x
Workarounds
There are no known workarounds to fix this problem, an upgrade is necessary.
References
https://jira.openolat.org/browse/OO-5548 (only visible to members of the OpenOlat partner program)
For more information
If you have any questions or comments about this advisory:
fkt Analyst
Impact
Using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker.
The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users.
Patches
The problem is fixed in version 15.3.18, 15.5.3 and 16.0. It is advised to upgrade to version 16.0.x
Workarounds
There are no known workarounds to fix this problem, an upgrade is necessary.
References
https://jira.openolat.org/browse/OO-5548 (only visible to members of the OpenOlat partner program)
For more information
If you have any questions or comments about this advisory: