Start a conversation

June 2015 Security Advisory: Kayako Classic 4.70.1 and earlier

We have discovered a critical security vulnerability in Kayako software. In accordance with our security vulnerability, fix and patch policy, this security advisory discloses what the vulnerability is, what it affects and how it can be fixed.

  • This vulnerability affects all versions of Kayako Fusion, Case and Engage up to and including Kayako 4.70.1.
  • Kayako OnDemand customers have already been updated and do not need to take any further action.
  • Kayako Download customers need to update their Kayako helpdesk to the latest version or apply a patch below.

If you have any questions about this advisory or require assistance with the update, please do not hesitate to contact our support team.

Security advisory details

Vulnerability

An attacker could use this vulnerability to remotely execute PHP code on the server on which Kayako is installed. To exploit this vulnerability, an attacker would need HTTP access to any of the web-facing parts of Kayako. We have verified that the potential for exploitation exists. There is no known exploit in the wild.

Severity

According to our severity scale, we have rated this vulnerability as critical (a CVSS2 base score of 8.0 or higher).

Credit

This vulnerability was responsibly disclosed to us by a Kayako customer. We confirmed this vulnerability on the 9th June 2015 and released a fix and security advisory on the 10th June 2015

We are committed to responsible disclosure. Read more about our security vulnerability, fix and patch policy.

Fix

Update to Kayako 4.70.2

We have released Kayako 4.70.2 to fix this vulnerability. Although we always recommend a full update, patches are available (detailed below) if you are not in a position to perform a full update. For more information on updating your helpdesk, see Upgrading your helpdesk.

The release notes Kayako 4.70.2 are available here.

Patch

NOTE: A patch is a stop-gap measure only. If you patch your helpdesk, plan a full update to the latest release as soon as possible. Take a backup of the files you patch.

If you are not in a position to update immediately, we have prepared patches for the previous 6 releases to fix the critical security issue. We always recommend a full update to the latest release.

Download the package which corresponds to your current Kayako version, unpack the package and then replace the corresponding files on your helpdesk with the new, patched versions.

You can find your current Kayako version in the admin control panel dashboard.

Kayako 4.65 and later


Version
Patch file
Kayako Fusion, Case and Engage 4.70 and 4.70.1
SWIFT-4729-4.70.1.zip
Kayako Fusion, Case and Engage 4.69 (all 4.69.* versions)
SWIFT-4729-4.69.0.zip
Kayako Fusion, Case and Engage 4.68 (all 4.68.* versions)
SWIFT-4729-4.68.0.zip
Kayako Fusion, Case and Engage 4.67 (all 4.67.* versions)
SWIFT-4729-4.67.0.zip
Kayako Fusion, Case and Engage 4.66 (all 4.66.* versions)
SWIFT-4729-4.66.2.zip
Kayako Fusion, Case and Engage 4.65 (all 4.65.* versions)
SWIFT-4729-4.65.2.zip


For all Kayako plans, the files to replace are: 

__swift/includes/functions.php
__swift/library/Cookie/class.SWIFT_Cookie.php

Earlier versions of Kayako

We have provided patches for the 6 previous releases, covering more than a year of release history. If you are using a Kayako version earlier than this, a full update is required.

Risk mitigation

There are no mitigation steps available, other than updating to the latest available version or applying the patches provided.

SWIFT-4729-4.65.2.zip

  1. 15 KB
  2. View
  3. Download

SWIFT-4729-4.66.2-9165-patch.zip

  1. 19 KB
  2. View
  3. Download

SWIFT-4729-4.67.0.9690-patch.zip

  1. 20 KB
  2. View
  3. Download

SWIFT-4729-4.68.0.zip

  1. 16 KB
  2. View
  3. Download

SWIFT-4729-4.69.0.7628.zip

  1. 15 KB
  2. View
  3. Download

SWIFT-4729-4.70.1.zip

  1. 24 KB
  2. View
  3. Download
Download all
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Jamie Edwards

  2. Posted
  3. Updated