CIVI-SA-2022-06: Dompdf 1.2.1

Pubblicato
2022-04-06 12:00
Written by

The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.

Security Risk
Highly Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

5.48.beta, 5.47.3, 5.45.4

Fixed Versions

5.48.0, 5.47.4, and 5.45.5 ESR

Publication Date
Solutions

Upgrade to CiviCRM v5.48.0, v5.47.4, or 5.45.5 ESR

Alternatively, if you cannot upgrade CiviCRM, then any ONE of the following will also resolve the security issue:

  • Put firm restrictions on dompdf. Edit civicrm.settings.php and override this option:

    // TEMPORARY OVERRIDE: This site has an insecure version of dompdf (<1.2.1), so some features
    // are temporarily disabled. You may remove this after upgrading (dompdf 1.2.1+; Civi 5.47.4+).
    $civicrm_setting['domain']['dompdf_enable_remote'] = FALSE;
    

    NOTE: This prevents any users from running vulnerable code. However, it also limits the ability to generate PDFs. For example, if you generate invoice PDFs with an image or logo, the images will not appear.

  • Manually upgrade dompdf to v1.2.1+ (for Drupal 8/9 projects). In your site-root, download the secure version:

    composer require 'dompdf/dompdf:1.2.1 as 1.0.3'
    

    NOTE: This is useful as a short-term override. In the future, when you have a chance to update CiviCRM, you will need to edit composer.json and remove this override.

If you apply an alternative solution, the application will still display a message that encourages upgrading, but it will be secure against the dompdf vulnerability.

Credits

Maximilian Kirchmeier and Fabian Bräunlein (Positive Security) for identifying and documenting the vulnerability.

Brian Sweeney (dompdf) for developing the fix.

CiviCRM Security Team and Luke Stewart (Fuzion) for porting and QA on CiviCRM.