Security vulnerabilities in RT (2017-06-15)


We have discovered security vulnerabilities which affect RT 4.0.x, RT 4.2.x, RT 4.4.x, and the RT::Authen::ExternalAuth extension. We are in the process of public testing of RT versions 4.0.25, 4.2.14, and 4.4.2 which resolve these vulnerabilities. In the meantime we are providing patches which apply atop all released versions of 4.0, 4.2, and 4.4. Additionally we are releasing RT::Authen::ExternalAuth 0.27 and providing a patch for versions 0.09 (released in 2011) and later.

The vulnerabilities addressed by 4.0.25, 4.2.14, 4.4.2, ExternalAuth 0.27 and the below patches include the following:

  • RT 4.0.0 and above are vulnerable to an information leak of cross-site request forgery (CSRF) verification tokens if a user visits a specific URL crafted by an attacker. This vulnerability is assigned CVE-2017-5943. It was discovered by a third-party security researcher.

  • RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack if an attacker uploads a malicious file with a certain content type. Installations which use the AlwaysDownloadAttachments config setting are unaffected. This fix addresses all existant and future uploaded attachments. This vulnerability is assigned CVE-2016-6127. This was responsibly disclosed to us first by Scott Russo and the GE Application Security Assessment Team.

  • One of RT’s dependencies, a Perl module named Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend administrators install Email::Address version 1.908 or above, though we additionally provide a new workaround within RT. The Email::Address vulnerability was assigned CVE-2015-7686. This vulnerability’s application to RT was brought to our attention by Pali Rohár.

  • RT 4.0.0 and above are vulnerable to timing side-channel attacks for user passwords. By carefully measuring millions or billions of login attempts, an attacker could crack a user’s password even over the internet. RT now uses a constant-time comparison algorithm for secrets to thwart such attacks. This vulnerability is assigned CVE-2017-5361. This was responsibly disclosed to us by Aaron Kondziela.

  • RT’s ExternalAuth feature is vulnerable to a similar timing side-channel attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth extension, as well as the core ExternalAuth feature in RT 4.4 are vulnerable. Installations which don’t use ExternalAuth, or which use ExternalAuth for LDAP/ActiveDirectory authentication, or which use ExternalAuth for cookie-based authentication, are unaffected. Only ExternalAuth in DBI (database) mode is vulnerable.

  • RT 4.0.0 and above are potentially vulnerable to a remote code execution attack in the dashboard subscription interface. A privileged attackercan cause unexpected code to be executed through carefully-crafted saved search names. Though we have not been able to demonstrate an actual attack owing to other defenses in place, it could be possible. This fix addresses all existant and future saved searches. This vulnerability is assigned CVE-2017-5944. It was discovered by an internal security audit.

  • RT 4.0.0 and above have misleading documentation which could reduce system security. The RestrictLoginReferrer config setting (which has security implications) was inconsistent with its implementation, which checked for a slightly different variable name. RT will now check for the incorrect name and produce an error message. This was responsibly disclosed to us by Alex Vandiver.

  • Patches for all releases of 4.0.x and 4.2.x are available for download below. Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact if you need assistance with an older RT version.

e75c2cd5bb99814d6dad4d865dbee6b93818eb7540a29d21cb19d5e002f96805  security-2017-06-15.tar.gz
9208cd8d79106890a73bfb05b480bf67abb3a1448db96546515103a6c1c75e20  security-2017-06-15.tar.gz.asc

The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at for more information.