Insecure Deserialization Vulnerability
Description
- Report Server 2024 Q1 (10.0.24.130) and older.
Root Cause
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
Solution
Updating to Report Server 2024 Q1 (10.0.24.305) or higher is the only way to remove this vulnerability. Take the following steps to get started:
- Go to Your Account | Report Server Downloads, sign in with your Telerik account, and download the latest version of Report Server installer (it is an
msifile). - Carefully follow the instructions in the Upgrading Report Server | Telerik Report Server documentation to update all your instances.
Notes
- We would like to thank 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative for their responsible disclosure and cooperation.
- You can check what version you are running by:
- Go to your Report Server web UI and log in using an account with administrator rights.
- Open the Configuration page (root-uri/Configuration/Index).
- Select the About tab, the version number is displayed in the pane on the right.
- Our customers’ security is of the utmost importance to us. If you have any questions, concerns, or problems related to this issue, you can open a new Technical Support case (Technical Support is available to customers with an active Support subscription).
External References
-
CVE-2024-1800 (CRITICAL)
CVSS: 9.9
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
Discoverer Credit: HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative