We have discovered a critical security vulnerability in Kayako software. In accordance with our security vulnerability, fix and patch policy, this security advisory discloses what the vulnerability is, what it affects and how it can be fixed.
- This vulnerability affects all versions of Kayako Fusion, Case and Engage up to and including Kayako 4.70.1.
- Kayako OnDemand customers have already been updated and do not need to take any further action.
- Kayako Download customers need to update their Kayako helpdesk to the latest version or apply a patch below.
If you have any questions about this advisory or require assistance with the update, please do not hesitate to contact our support team.
Security advisory details
Vulnerability
An attacker could use this vulnerability to remotely execute PHP code on the server on which Kayako is installed. To exploit this vulnerability, an attacker would need HTTP access to any of the web-facing parts of Kayako. We have verified that the potential for exploitation exists. There is no known exploit in the wild.
Severity
According to our severity scale, we have rated this vulnerability as critical (a CVSS2 base score of 8.0 or higher).
Credit
This vulnerability was responsibly disclosed to us by a Kayako customer. We confirmed this vulnerability on the 9th June 2015 and released a fix and security advisory on the 10th June 2015.
We are committed to responsible disclosure. Read more about our security vulnerability, fix and patch policy.
Fix
Update to Kayako 4.70.2
We have released Kayako 4.70.2 to fix this vulnerability. Although we always recommend a full update, patches are available (detailed below) if you are not in a position to perform a full update. For more information on updating your helpdesk, see Upgrading your helpdesk.
The release notes Kayako 4.70.2 are available here.
Patch
NOTE: A patch is a stop-gap measure only. If you patch your helpdesk, plan a full update to the latest release as soon as possible. Take a backup of the files you patch.
If you are not in a position to update immediately, we have prepared patches for the previous 6 releases to fix the critical security issue. We always recommend a full update to the latest release.
Download the package which corresponds to your current Kayako version, unpack the package and then replace the corresponding files on your helpdesk with the new, patched versions.
You can find your current Kayako version in the admin control panel dashboard.
Kayako 4.65 and later
Version |
Patch file |
---|---|
Kayako Fusion, Case and Engage 4.70 and 4.70.1 |
SWIFT-4729-4.70.1.zip |
Kayako Fusion, Case and Engage 4.69 (all 4.69.* versions) |
SWIFT-4729-4.69.0.zip |
Kayako Fusion, Case and Engage 4.68 (all 4.68.* versions) |
SWIFT-4729-4.68.0.zip |
Kayako Fusion, Case and Engage 4.67 (all 4.67.* versions) |
SWIFT-4729-4.67.0.zip |
Kayako Fusion, Case and Engage 4.66 (all 4.66.* versions) |
SWIFT-4729-4.66.2.zip |
Kayako Fusion, Case and Engage 4.65 (all 4.65.* versions) |
SWIFT-4729-4.65.2.zip |
For all Kayako plans, the files to replace are:
__swift/includes/functions.php __swift/library/Cookie/class.SWIFT_Cookie.php
Earlier versions of Kayako
We have provided patches for the 6 previous releases, covering more than a year of release history. If you are using a Kayako version earlier than this, a full update is required.
Risk mitigation
There are no mitigation steps available, other than updating to the latest available version or applying the patches provided.
Jamie Edwards