/
Critical Security fix for SSP versions 24LTS and Feature Stream

Critical Security fix for SSP versions 24LTS and Feature Stream

Owned by Alexander Scheipner
Oct 23, 2024
2 min read

We fixed a critical pen test finding in our SIGNificant Server Platform product.

Affected versions

All customers operating SSP on 24LTS version 23.76.0.17 - 23.76.2.56, which includes also all customers operating on eSAW version 24LTS as this uses SSP as one of its components, are impacted and need to update their SSP version to 23.76.3.69 or newer.
The same is also true for our outdated Feature Stream versions lower than version 24.40. All customers running on an unsupported Feature Stream version have to update to 24.40 or newer.

Impact

A component can be misused to gather any file contents from the remote web server which might contain sensitive information such as content of system files or passwords.
However, the monitoring of our Private- and Shared-SaaS environments showed that the exploit on our SaaS environments has not been misused during the time before we got aware and we could close it.

Details like the attack vector are critical information.
We must avoid by any chance that such critical information could fall into the wrong hands, as many of our on-premise customers operate the product in their own datacenters and have not upgraded to the fixed version yet.
That's why we decided to handle the finding with the necessary carefulness and responsibility. This includes that we do not expose details of the attack vector yet, although in general we prefer an open communication with our customers.

Remediation

A temporary mitigation on network layer of our SaaS environments has been installed immediately on the day we got informed about the issue to reduce the risk in your particular case;
However this was just a mitigation and not a final fix. Namirial's ISO 27001 certification requires us to implement the fix by rolling out the hotfix version mentioned.

The fix was developed, carefully tested on internal QA environments, and after an accelerated public testing on DEMO environment also already installed on our shared SaaS environments on October 2nd.
Due to the nature of the fix, we can be sure that the fix comes without negative impact on your scenarios.

Meanwhile all Private- and Shared-SaaS environments that are operated by Namirial are already running on the fixed versions of SSP.

We urgently advise our on-premise customers running an affected version of SSP to update to the hotfix version mentioned.

Related content