CISA issued an emergency notice to all developers using Discourse, warning them to update the software to the latest version to patch an RCE bug.
Discourse versions 2.7.8 and earlier are plagued with a critical bug, that if exploited can let hackers execute commands on the hijacked systems remotely. A public scanning through Shodan revealed that all Discourse SaaS instances have been secured.
Discourse RCE Bug
Discourse is an open-source online forum and mailing list software, used by millions daily. Considering its regular traffic, CISA has issued a warning notice to all those developers using Discourse to update the software immediately.
This is because the software is found to have a critical RCE bug, which can be exploited by malicious actors by sending a specially crafted file to a vulnerable Discourse client. This bug was tagged as CVE-2021-41163 and noted as critical by CISA.
It’s explained as “a validation bug in the upstream aws-sdk-sns gem“, and found in Discourse versions 2.7.8 and earlier. An update to patch this bug was issued on Friday, where developers till then tried a temporary workaround of “requests with a path starting /webhooks/aws could be blocked at an upstream proxy.”
While CISA triggers everyone to update to the latest version, a general scanning by BleepingComputer through Shodan has found that all the Discourse SaaS instances online are patched.
In a statement to ZDNet, Saryu Nayyar the CEO of cybersecurity company Gurucul said
“It’s critically important for both systems administrators and individual users to keep up with security information from software providers and to install patches promptly. We can’t rely on Microsoft or other OS vendors to automatically push patches to our systems. Users of Discourse software should test and install this patch as their most important priority.”