Attackers are actively exploiting a critical remote command-execution vulnerability that has plagued the Joomla content management system for almost eight years, security researchers said.
A patch for the vulnerability, which affects versions 1.5 through 3.4.5, was released Monday morning. It was too late: the bug was already being exploited in the wild, researchers from security firm Sucuri warned in a blog post. The attacks started on Saturday from a handful of IP addresses and by Sunday included hundreds of exploit attempts to sites monitored by Sucuri.
"Today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked," the blog post reported. "That means that probably every other Joomla site out there is being targeted as well."
Millions of websites used in e-commerce and other sensitive industries are vulnerable to remote take-over hacks made possible by a critical vulnerability that has affected the Joomla content management system for almost two years.
The SQL-injection vulnerability was patched by Joomla on Thursday with the release of version 3.4.5. The vulnerability, which allows attackers to execute malicious code on servers running Joomla, was first introduced in version 3.2 released in early November 2013. Joomla is used by an estimated 2.8 million websites.
"Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable," Asaf Orpani, a researcher inside Trustwave's Spiderlabs, wrote in a blog post (the post appears to be offline at the moment, but it was working through most of Friday morning). The vulnerability, and two closely related security flaws, have been cataloged as CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.
Joomla has put out an announcement that a new version, 3.4.5, will be released at 10 AM Eastern on Thursday that will contain a “very important security fix”. No details of what is the issue being fixed is have been released, but this is the first time that they have put out announcement like this as far back as we can remember, so it appears to be something that would be a major concern.
The last release that fixed a vulnerability that was exploitable in a non-targeted fashion was version 2.5.3, which came out in March of 2012.
For those still running 2.5.x, it would be a good time for you to upgrade as support for that version ended back in December. That upgrade often isn’t a one-click upgrade.