Tuesday, May 3, 2016

ImageMagick: Remote execution vulnerability (CVE-2016–3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and nodejs’s imagemagick.

More information about the vulnerability can be found on the ImageMagick website. (Updated 05/05 The issue has been named as ImageTragick.)


If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing this:

1. Edit the policy.xml file of ImageMagick:
/opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
2. Add the following policy rules (updated 05/05):
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

3. Verify your policies with the following command:
convert -list policy
Below is an example policy output:
Path: [built-in]
  Policy: Undefined
    rights: None 
Path: /opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
...

The Bitnami Team is working hard on updating the library to its latest version in order to fix this issue in our future releases. If you have questions about ImageMagick or the security vulnerability, please post to our community forum, and we will be happy to help you.