vBulletin 5.X critical security issue, fix available - ED Forums
 


Notices

Closed Thread
 
Thread Tools Display Modes
Old 09-26-2019, 02:15 PM   #1
Yurgon
Campaign Tester
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,922
Default vBulletin 5.X critical security issue, fix available

I'm not sure which version of vBulletin is in use here, but this probably applies:

vBulletin Security Patch Released. Versions 5.5.2, 5.5.3, and 5.5.4

US NIST assigned it a Base Score of 9.8 (CRITICAL): CVE-2019-16759 Detail
__________________
Yurgon is offline  
Old 09-28-2019, 12:51 PM   #2
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 22,788
Default

Thanks Yurgon, I will pass it on.
__________________
BIGNEWY
Community Manager Eagle Dynamics
Windows 10 Pro x64, NVIDIA MSI RTX 2080Ti VENTUS GP, Intel® i9-10900K 3.70GHz, 5.30GHz Turbo, Corsair Hydro Series H150i Pro, 32GB DDR @3000, ASUS ROG Strix Z490-F Gaming, TM Warthog, Jet provost rudder pedals, VIVE Cosmos

BIGNEWY is offline  
Old 09-30-2019, 01:18 PM   #3
Yurgon
Campaign Tester
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,922
Default

Thanks Bignewy.

Just an FYI, I saw a bunch of failed HTTP requests scroll by the error log in a site of mine that doesn't even have a vBulletin board:

/vb/js/ajax.js
/vbforum/js/ajax.js
/forum/js/ajax.js
/js/ajax.js
/forums/js/ajax.js
/vBulletin/js/ajax.js
/vb5/js/ajax.js

Might be unrelated, but my guess is this is an active attempt to find vulnerable vBulletin installations that have not been patched yet, and it's probably happening all over the web.
__________________
Yurgon is offline  
Old 09-30-2019, 01:26 PM   #4
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 22,788
Default

Thanks for the heads up, the team have insured we will not be affected
__________________
BIGNEWY
Community Manager Eagle Dynamics
Windows 10 Pro x64, NVIDIA MSI RTX 2080Ti VENTUS GP, Intel® i9-10900K 3.70GHz, 5.30GHz Turbo, Corsair Hydro Series H150i Pro, 32GB DDR @3000, ASUS ROG Strix Z490-F Gaming, TM Warthog, Jet provost rudder pedals, VIVE Cosmos

BIGNEWY is offline  
Old 10-08-2019, 10:50 PM   #5
Yurgon
Campaign Tester
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,922
Default vBulletin 5.X critical security issue, Patch Level 2

The previous thread was closed, so I couldn't post an update there.

The vBulletin team have issued an announcement regarding a new patch level: vBulletin 5.5.X (5.5.2, 5.5.3, and 5.5.4) Security Patch Level 2

This one seems to be at least as critical as the previous issue last week.

If I read the notes correctly, all versions of vBulletin are affected unless it's updated to:
  • 5.5.4 Patch Level 2
  • 5.5.3 Patch Level 2
  • 5.5.2 Patch Level 2

I'm guessing that vBulletin versions older than 5 would be affected as well (and by now they're probably as secure as cheese in a mouse cage anyway).

Comodo had data on some 170.000 accounts stolen from their vBulletin because they didn't patch quickly enough.

Thanks.
__________________
Yurgon is offline  
Old 10-10-2019, 07:33 PM   #6
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 22,788
Default

Hi Yurgon,

the team is aware, thanks for the post.

I have merged it with the first one.

Edit:
The exploit does not effect our version of vBulletin the team have checked

thank you
__________________
BIGNEWY
Community Manager Eagle Dynamics
Windows 10 Pro x64, NVIDIA MSI RTX 2080Ti VENTUS GP, Intel® i9-10900K 3.70GHz, 5.30GHz Turbo, Corsair Hydro Series H150i Pro, 32GB DDR @3000, ASUS ROG Strix Z490-F Gaming, TM Warthog, Jet provost rudder pedals, VIVE Cosmos


Last edited by BIGNEWY; 10-10-2019 at 09:13 PM.
BIGNEWY is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT. The time now is 09:39 PM. vBulletin Skin by ForumMonkeys. Powered by vBulletin®.
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.