A vulnerability that affects all versions of Joomla from 1.5.0 to 3.4.5 have just been released (CVE-2015-8562).
The Joomla security team released a patch to address this critical remote command execution vulnerability that is already being exploited in the wild.
Joomla is one of the most popular Content Management Systems (CMS), alongside Wordpress, Drupal and Magento. Joomla CMS is used to build web sites and online applications in conjunction with the many supported shopping cart, e-commerce and payment gateway extensions.
Joomla users need to upgrade to version 3.4.6 immediately. For Joomla 3 and above, updating is a simple one-click process through the admin panel. For the unsupported versions 1.5.x - 2.5.x the users need to patch using the Joomla hotfixes.
If you have versions 1.5.x or 2.5.x, the process for applying the hotfix is as follows:
- Depending which version is installed, a different file needs to be downloaded.
For version 1.5.x the file to download is located here:
For version 2.5.x the file to download is located here:
- Extract the compressed file and find a folder called "libraries".
- Login to the Joomla site via a file transfer protocol (e.g. SFTP, FTP, etc). Please note that this process cannot be done via the Joomla admin page.
- Change directory to /libraries/joomla/session/
- Replace the file session.php on the site with the new session.php file from the archive you downloaded earlier on.
As this vulnerability is already being exploited and has been for the last 2 days before there was a patch available, it is very important that if your site is affected it is patched as soon as possible.
If you wish to investigate whether your Joomla site has already been targeted you can do so by checking your logs. Look for requests from the following IP addresses 18.104.22.168 or 22.214.171.124 or 126.96.36.199 which were the first IP addresses that started exploiting the vulnerability.
It is also possible to search the logs for the User Agent strings “JDatabaseDriverMysqli” or “O:” as these have been used in the exploits. Any logs from the aforementioned IP addresses and/or User Agent strings is an indication that the Joomla site needs to be considered as compromised and the remediation / incident response phase needs to be initiated.
If your Joomla CMS instance is managed by a third party provider, if you suspect or don’t know whether your third party hosted/managed website relies on Joomla CMS contact your provider now to ensure the patch for this vulnerability is applied as soon as possible.