SEC-2022-001 Security Fix

Hello,
I received the following mail from my FreePBX server today:

Your server [FreePBX] discovered the following security issues:
core has been automatically upgraded to fix security issues: SEC-2022-001
pms has been automatically upgraded to fix security issues: SEC-2022-001
sms has been automatically upgraded to fix security issues: SEC-2022-001
voicemail has been automatically upgraded to fix security issues:
SEC-2022-001
core has been automatically upgraded to fix security issues: SEC-2022-001
pms has been automatically upgraded to fix security issues: SEC-2022-001
sms has been automatically upgraded to fix security issues: SEC-2022-001
voicemail has been automatically upgraded to fix security issues:
SEC-2022-001
core has been automatically upgraded to fix security issues: SEC-2022-001
pms has been automatically upgraded to fix security issues: SEC-2022-001
sms has been automatically upgraded to fix security issues: SEC-2022-001
voicemail has been automatically upgraded to fix security issues:
SEC-2022-001
core has been automatically upgraded to fix security issues: SEC-2022-001
pms has been automatically upgraded to fix security issues: SEC-2022-001
sms has been automatically upgraded to fix security issues: SEC-2022-001
voicemail has been automatically upgraded to fix security issues:
SEC-2022-001

This looks a bit weird. Why is this repeated 4 times? Maybe this is fake and my system has been hacked?

I cannot find any info about SEC-2022-001

FreePBX 16.0.19, Asterisk Version: 16.25.0

I just noticed that dashboard reports the same, so the message seems to be genuine.

-Heinrich

The notice is legit. Not sure why it’s repeated, but I’m seeing the same on my system.

https://community.freepbx.org/t/sec-2022-001-notice-of-security-issue/82571/2

Hi @lgaetz,

There is a bug exists: when Commercial module is not installed FreePBX Dashboard still complains about missing update somehow. Please see screenshots:
Screenshot 2022-04-12 190646

Are you using the Property Management (pms) module? If not, you can just delete with

fwconsole ma delete pms

but it already not installed this not the same? :slight_smile:
Command run succesfully but its strange for me - not installed, but locally available…
Thank you :slight_smile:

As discussed with the previous security incident. If the code is on your system, there is potential for exploitation depending on the exploit itself. So if the code is on your system you will be notified etc etc.

It is probably a good idea to look at module admin and see anything that is uninstalled, but luckily available and simply remove it to provide less surface area

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.