Joomla 3.4.5 Released

Recently, we had a major issue with WordPress and this time it is a patch for Joomla and for the most recent version 3x. All websites need to be kept updated for version and security updates. Check out your site every month, apply the required patches and upgrades or get someone to do it. Set up alerts to get warnings from WordPress or Joomla. It is your website, your investment and your responsibility.

Joomla LogoThe Joomla team just released a new Joomla version (3.4.5) to fix some serious security vulnerabilities. The most critical one is a remote and unauthenticated SQL injection on the com_contenthistory module (included by default) that allows for a full take over of the vulnerable site. This could be double dutch to you, but someone needs to be on top of these issues for you.

Directly from the Joomla announcement:

Official statement: “Joomla! 3.4.5 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.4 release.” Ignore this and risk serious issues with your website. See full statement here.

“Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

Joomla ThreatThe vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.”

“If you are using Joomla, patch it now!” Daniel Cid OSSEC HIDS