International ILIAS Blog

On 21 June 2023, the ILIAS open source e-Learning e.V. has released an important security update for ILIAS 8 and 7. Among the security fixes mentioned in the release notes[1] [2] there is one that deserves special attention.

ILIAS is not affected by the currently reported security problem (CVE-2021-44228) for the library log4j, which is also used by ILIAS. The reason is that we use the older version 1.2.15 in ILIAS, which does not yet have the affected function, see also here.

More and more we read in the media about targeted hacks and attacks on popular software platforms, databases and content management systems. Especially software with many users can be a worthwhile target for hackers looking to steal personal information.

As server-operated software, ILIAS is also theoretically vulnerable to such attacks. So that it never comes to that though, we are working hard to prevent bugs and to close security loopholes that become known to us. Together with the technical board, we have put together a small FAQ to explain how security vulnerabilities are dealt with in ILIAS.

The Technical Board has received a security list request regarding the latest ImageMagick vulnerabilities with several remote code execution vectors among them. These were announced last week (see: ImageTragick). To exploit these vulnerabilities, an attacker needs nothing more than the possibility to upload infected image files which are supposed to be post-processed by ImageMagick. This is true for each ILIAS user who is able to upload a profile picture or images at a variety of other places. Mitigation of the issue in ILIAS is unfortunately not possible at short notice.

ILIAS administrators should use a policy file as described at the website mentioned above to disable the vulnerable ImageMagick coders. Furthermore, an updated version of ImageMagick has already been released. We strongly recommend upgrading to the latest version to allow for safe operation of your platforms.