vBulletin 5.X critical security issue, fix available - ED Forums
 


Notices

Closed Thread
 
Thread Tools Display Modes
Old 09-26-2019, 02:15 PM   #1
Yurgon
Campaign Testers
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,383
Default vBulletin 5.X critical security issue, fix available

I'm not sure which version of vBulletin is in use here, but this probably applies:

vBulletin Security Patch Released. Versions 5.5.2, 5.5.3, and 5.5.4

US NIST assigned it a Base Score of 9.8 (CRITICAL): CVE-2019-16759 Detail
__________________
Yurgon is offline  
Old 09-28-2019, 12:51 PM   #2
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 16,485
Default

Thanks Yurgon, I will pass it on.
__________________
Windows 10 Pro x64, NVIDIA PALIT 1080 8GB, INTEL i7 4790K @4.4 GHz( Cooled by H100i ), 32GB DDR3 @1866 , Asus Z97-AR, TM Warthog, Jet provost rudder pedals, DELL Visor WMR
Forum rules - DCS Crashing? Try this first - Discord BIGNEWY#8703
BIGNEWY is offline  
Old 09-30-2019, 01:18 PM   #3
Yurgon
Campaign Testers
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,383
Default

Thanks Bignewy.

Just an FYI, I saw a bunch of failed HTTP requests scroll by the error log in a site of mine that doesn't even have a vBulletin board:

/vb/js/ajax.js
/vbforum/js/ajax.js
/forum/js/ajax.js
/js/ajax.js
/forums/js/ajax.js
/vBulletin/js/ajax.js
/vb5/js/ajax.js

Might be unrelated, but my guess is this is an active attempt to find vulnerable vBulletin installations that have not been patched yet, and it's probably happening all over the web.
__________________
Yurgon is offline  
Old 09-30-2019, 01:26 PM   #4
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 16,485
Default

Thanks for the heads up, the team have insured we will not be affected
__________________
Windows 10 Pro x64, NVIDIA PALIT 1080 8GB, INTEL i7 4790K @4.4 GHz( Cooled by H100i ), 32GB DDR3 @1866 , Asus Z97-AR, TM Warthog, Jet provost rudder pedals, DELL Visor WMR
Forum rules - DCS Crashing? Try this first - Discord BIGNEWY#8703
BIGNEWY is offline  
Old 10-08-2019, 10:50 PM   #5
Yurgon
Campaign Testers
 
Yurgon's Avatar
 
Join Date: May 2010
Location: Germany
Posts: 7,383
Default vBulletin 5.X critical security issue, Patch Level 2

The previous thread was closed, so I couldn't post an update there.

The vBulletin team have issued an announcement regarding a new patch level: vBulletin 5.5.X (5.5.2, 5.5.3, and 5.5.4) Security Patch Level 2

This one seems to be at least as critical as the previous issue last week.

If I read the notes correctly, all versions of vBulletin are affected unless it's updated to:
  • 5.5.4 Patch Level 2
  • 5.5.3 Patch Level 2
  • 5.5.2 Patch Level 2

I'm guessing that vBulletin versions older than 5 would be affected as well (and by now they're probably as secure as cheese in a mouse cage anyway).

Comodo had data on some 170.000 accounts stolen from their vBulletin because they didn't patch quickly enough.

Thanks.
__________________
Yurgon is offline  
Old 10-10-2019, 07:33 PM   #6
BIGNEWY
ED Community Manager
 
BIGNEWY's Avatar
 
Join Date: Aug 2011
Location: UK
Posts: 16,485
Default

Hi Yurgon,

the team is aware, thanks for the post.

I have merged it with the first one.

Edit:
The exploit does not effect our version of vBulletin the team have checked

thank you
__________________
Windows 10 Pro x64, NVIDIA PALIT 1080 8GB, INTEL i7 4790K @4.4 GHz( Cooled by H100i ), 32GB DDR3 @1866 , Asus Z97-AR, TM Warthog, Jet provost rudder pedals, DELL Visor WMR
Forum rules - DCS Crashing? Try this first - Discord BIGNEWY#8703

Last edited by BIGNEWY; 10-10-2019 at 09:13 PM.
BIGNEWY is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT. The time now is 03:26 PM. vBulletin Skin by ForumMonkeys. Powered by vBulletin®.
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.