Headline
CVE-2022-38078: MovableType.org – News: Movable Type 7 r.5301 (v7.9.5), v6.8.7: Security update
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Movable Type 7 r.5301 (v7.9.5), v6.8.7 released.
This release is included a security fix. For those of you who use Movable Type 4.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of workarounds immediately.
detail of the security issue
Through the XMLRPC API of MT (mt-xmlrpc.cgi), Perl / OS command injection (RCE) could be performed limitedly. This issue may occur when mt-xmlrpc.cgi can be executed on the Internet.
Workarounds for those who cannot upgrade the latest version
The one of following steps can be taken to avoid or reduce of the affect of the vulnerability.
- Remove the execution permission of mt-xmlrpc.cgi
- Delete the mt-xmlrpc.cgi file
- Restrict the access to mt-xmlrpc.cgi on the Internet
- PSGI env: Set RestrictedPSGIApp xmlrpc in mt-config.cgi (6.2 and later) or ‘XMLRPCScript long random characters enough not to guess` (6.1 and earlier)
Since Six Apart has already terminated the support of Movable Type 4.x, 5.x, and 6.0.x-6.3.x, we strongly recommend upgrading to the latest version of Movable Type 7 r.5301 or 6.8.7.
RELEASED VERSIONS
- Movable Type r.5301 (v7.9.5)
- Movable Type Advanced r.5301 (v7.9.5)
- Movable Type AMI (via AWS Marketplace) r.5301 (v7.9.5)
- Movable Type Advanced AMI (via AWS Marketplace) r.5301 (v7.9.5)
- Movable Type v6.8.7
- Movable Type Advanced v6.8.7
- Movable Type AMI (via AWS Marketplace) v6.8.7
- Movable Type Advanced AMI (via AWS Marketplace) v6.8.7
Release Notes
Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.
- Movable Type 7 r.5301 (v7.9.5) Release Notes
- Movable Type 6.8.7 Release Notes
How to get Movable Type 7 and 6.8
If you have an existing Movable Type 7 or 6.8 license, you can download the latest Movable Type from our download portal using your Six Apart ID.
To purchase a new license or an upgrade, please visit MovableType.com for more information, or feel free to contact us if you have any questions.
Movable Type 6.8 version is subject to LTS (long-term-support) and will have problem fixes and security fixes until 2022. However, In order to use Movable Type 6.5.x/6.6.x/6.7.x/6.8.x, “Pro Unlimited annual license” needs to be renewed every year.