New to Telerik Report Server? Download free 30-day trial

Insecure Type Resolution Vulnerability

Description

Critical Alert – September 2024 - CVE-2024-8015

  • Telerik Report Server 2024 Q3 (10.2.24.806) or earlier.

Issue

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

What Are the Impacts

In Progress® Telerik® Report Server, versions 2024 Q3 (10.2.24.806) or earlier, a code execution attack is possible through an insecure type resolution vulnerability.

Solution

We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.

Current Version Guidance
2024 Q3 (10.2.24.806) or earlier Update to 2024 Q3 (10.2.24.924) (update instructions)

All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.

Temporary Mitigation

You can mitigate this vulnerability by changing Report Server’s Application Pool user to one with limited permissions.

If you do not already have a procedure for creating a dedicated App Pool user, you can reference our How To Change IIS User for Report Server KB article for additional assistance.

Notes

  • You can check what version you are running by:
    1. Go to your Report Server web UI and log in using an account with administrator rights.
    2. Open the Configuration page (~/Configuration/Index).
    3. Select the About tab, the version number is displayed in the pane on the right.
  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
  • We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation with CVE-2024-8014.

External References

CVE-2024-8015 (CRITICAL)

CVSS: 9.1

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.

Discoverer Credit: Markus Wulftange with CODE WHITE GmbH

In this article