Vandaag hebben alle klanten die gebruik maken van Exact Synergy een belangrijke e-mail van Exact Software ontvangen in verband met een kwetsbaarheid binnen een software component dat in Exact Synergy wordt gebruikt.

Deze berichtgeving is bij Quercis bekend en wordt ook door ons onderkend. Let Op! Het betreft hier geen spam.

In het Exact Synergy product maakt Exact gebruik van de 3de partij Telerik user interface technologie en componenten. Onlangs is er een kwetsbaarheid (CVE-2019-18935) gevonden in het Telerik framework. In bepaalde omstandigheden kan dit leiden tot schadelijke uploads van bestanden.

Daarom is het noodzakelijk snel actie te ondernemen om eventuele risico’s te beperken.

Exact Software raadt ten zeerste aan een update van uw Exact Synergy-omgeving naar het nieuwste servicepack 265 SP1, 264 SP8 of 263 SP15 uit te voeren. Met deze servicepacks wordt de kwetsbaarheid opgelost.

Mocht je vragen hebben of een update van Exact Synergy willen plannen kun je contact opnemen met Jeroen Krugers (jeroen.krugers@quercis.nl) of kun je het contact formulier invullen.

Wij nemen dan zo spoedig mogelijk contact met je op. (houd rekening met een wachttijd)

Hieronder de volledige berichtgeving vanuit Exact Software:

In the Exact Synergy product, we make use of the 3rd party Telerik user interface technology and components. Recently, a vulnerability (CVE-2019-18935) was found in the Telerik framework. In certain circumstances, this could possibly lead to detrimental file uploads. Therefore, we emphasize that urgent action must be taken to mitigate any risk. The following options apply for your Exact Synergy environment:

1. We strongly advise updating your Exact Synergy environment to the latest service pack 265 SP1, 264 SP8 or 263 SP15. These service packs contain the structural solution for this vulnerability.
2. If you have an Exact Synergy environment with a release between 265 and 263, but you cannot update to the latest service pack in short term, an alternative is available. See below for steps and information.
3. If you have an Exact Synergy environment with release 262 or 261, we strongly advise you to update to one of the versions/service packs mentioned above in option 1. If you cannot update in the short term, please refer to option 2 mentioned above.
4. If you have an Exact Synergy environment with release 260 or lower, the first requirement is updating your Exact Synergy environment to a higher release. We do not have an Exact solution or alternative available for this vulnerability, for environments currently on or below release 260.
5. A more generic technical alternative outside the Exact solution could be to block all “POST” requests for Telerik to your Synergy environment (towards /Telerik.Web.UI.WebResource.axd) on the Webserver, Firewall (if any) or Load balancer (if any). Implementation of this option and expertise within this area must be coordinated with your IT system administrator or IT partner.

Alternative workaround Telerik vulnerability (CVE-2019-18935)

If it is not possible to update Exact Synergy, then it is possible to disable the Telerik functionality that contains this vulnerability. By doing this a function of Telerik framework is disabled that is used to do asynchronous file uploads. This is achieved by placing a setting flag in the web.config of Exact Synergy placed in the root of the Exact Synergy installation folder.

Important

• Web.config is an XML file that stores information in a tree structure. Because of this, this setting must be placed in a specific location.
• Web.config is caption sensitive. The setting must be placed exactly as noted in the steps below.
• After placing this setting, the Internet Information Services will execute an application pool reset automatically. Make sure that no users are active in Exact Synergy and take this into account by planning/choosing the correct moment to do this. We also recommend executing an IISRESET manually to be sure that the changes are applied.
• Always make sure that there is a possibility to revert your changes by making a copy of web.config before applying this change.

Steps

1. Inform users that Exact Synergy will be offline for a short moment. Best approach is to plan/pick a suitable moment to apply these changes.
2. In File explorer go to you Exact Synergy installation folder and make a copy of web.config to a save location outside the Exact Synergy installation folder.
3. Open web.config with Notepad and locate the node by searching for this text using [File \ Search]
   
4. Add the setting below to under the node:
   <add key=”Telerik.Web.DisableAsyncUploadHandler” value=”true”/>
   
5. Save this file
6. Open an elevated command prompt [Start \ type CMD \ CTRL+SHIFT+ENTER]
7. Type IISRESET and press ENTER
   
8. Open Exact Synergy and confirm that it is working as expected.

If there are any error messages while using Exact Synergy, please revert to the previous copy of web.config and execute an IISRESET again. If you still encounter issues working with Exact Software please contact Exact Support for further assistance

Contact details

Please do not hesitate to contact Exact Customer Support for questions or remarks. Exact Customer Support is 24/7 available via our Customer Portal https://customers.exact.com and every Monday to Friday from 8:30 pm to 5:30 pm (UTC+01:00, Amsterdam) at +31 (0)15 711 51 00.