Today we have released Deskpro v2019.8.0. This release contains an important update to fix a critical security vulnerability that affects on-premise installations. All Deskpro versions are susceptible and require updating.
This does NOT affect you if you are a Cloud customer. Only on-premise customers need to take action.
More information about this security update is detailed in our news post.
How To Update
The process to update to 2019.8.0 is the same as any other version. Refer to the sysadmin guide on our website for instructions: https://support.deskpro.com/guides/topic/715
If you need help updating, please open a support ticket by emailing us at firstname.lastname@example.org. We have technicians standing by to answer your questions. Alternatively, you can purchase our profession update service or migrate to Deskpro Cloud.
What is the Vulnerability?
This issue is classified as a privilege escalation fault. A malicious user can exploit multiple bugs in Deskpro's code to escalate their access to administrator.
The exact procedure is non-trivial and we were able to confirm that the vulnerability had not been exploited on our platform. We are waiting before providing any in-depth details to give customers a chance to update. We will publish more information in our news post.
Is my installation affected?
Almost certainly. This affects everyone running v4, v5.x, v2018.x and v2019.x up to and including the most recent 2019.7.4.
How was the vulnerability raised?
A report was compiled by a security research firm who submitted it as part of a responsible disclosure procedure.
What was your response?
Deskpro immediately investigated the report. We deployed updates to our Cloud platform within an hour of the initial report, and we were able to confirm that the vulnerability had not been exploited on our platform. The team then immediately began working on a release we could deploy to all on-premise customers.
You can find more details about the timeline and our response in our news post.
Are there any other changes in this release?
In addition to fixing the main fault, our engineers have made efforts to tighten security in a number of other areas within the product as a precautionary and pre-emptive measure. These measures can help mitigate the impact of security issues should they ever arise in future.
Does Deskpro operate a Responsible Disclosure Program?
Yes. Please refer to our website for details including our PGP key:
We are holding before we provide any more in-depth details to give customers a chance to update their instances. We will publish more information in our news post.
Internally, this release contains fixes for tickets CH-3115, CH-3116 and CH-3117.