On 21 June 2023, the ILIAS open source e-Learning e.V. has released an important security update for ILIAS 8 and 7. Among the security fixes mentioned in the release notes[1] [2] there is one that deserves special attention.

The German "Bundesamt für Sicherheit in der Informationstechnik" (BSI) identified severe security issues with the Workflow Engine (WFE) in ILIAS. Because these issues were inherent in the design of the component, it was decided at the JourFixe to follow the recommendation of the BSI to remove the WFE from ILIAS. The WFE was deactivated for ILIAS 7 and 8. Most code will be removed with ILIAS 9 and the rest will be completely removed with ILIAS 10.

The following security issues were fixed with these releases:

Remote Code Execution in the Workflow Engine (BPMN2 parser)

• Affected versions: ILIAS ≤ 7.22, ILIAS ≤ 8.2
• Fixed in version: ILIAS 7.23, ILIAS 8.3
• CVSS-Score: 6.7 (Medium)
• CVE-ID: CVE-2023-36485
  

By uploading a specifically crafted workflow definition file (BPMN2), arbitrary code can be executed on the server (RCE).

Remote Code Execution in the Workflow Engine (malicious filename)

• Affected versions: ILIAS ≤ 7.22, ILIAS ≤ 8.2
• Fixed in version: ILIAS 7.23, ILIAS 8.3
• CVSS-Score: 6.7 (Medium)
• CVE-ID: CVE-2023-36486
  

By uploading a workflow definition file with a specifically crafted file name, arbitrary code can be executed on the server (RCE).

Disclosure History

• 2023-05-02: The BSI first reached out to the ILIAS Security Group
• 2023-05-15: The BSI sent the details for the identified security issues
• 2023-06-12: The JourFixe decided to remove the WFE
• 2023-06-21: Fixed versions were released
• 2023-09-26: Published details of the security issues