Insecure Deserialization Vulnerability

Description

Critical Alert - July 2024 - CVE-2024-6327

• Report Server 2024 Q2 (10.1.24.514) and earlier.

Issue

CWE-502 Deserialization of Untrusted Data

What Are the Impacts

In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.

Solution

Updating to Report Server 2024 Q2 (10.1.24.709) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account (Telerik.com).

Temporary Mitigation

You can temporarily mitigate this issue by changing the user for the Report Server Application Pool to one with limited permissions. If you do not already have a procedure for creating IIS users and assigning App Pool, you can reference our How To Change IIS User for Report Server KB article for assistance.

Notes

• Our customers’ security is of the utmost importance to us. If you have any questions, concerns, or problems related to this issue, you can open a new Technical Support case (Technical Support is available to customers with an active Support subscription).
• You can check what version you are running by:
  1. Go to your Report Server web UI and log in using an account with administrator rights
  2. Open the Configuration page (~/Configuration/Index).
  3. Select the About tab, the version number is displayed in the pane on the right.
• We would like to thank Markus Wulftange with CODE WHITE GmbH for their cooperation with CVE-2024-6096.

External References

• CVE-2024-6327 (CRITICAL)

  CVSS: 9.9

  In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through CVE-2024-6096.