Critical Update Theopenem 1.5.8 Release

theopenem_admin

Hello Everyone,

This release addresses 2 major issues with Theopenem.

First,
I have removed the impersonation code required by the WIE generator from the Toems-UI. This should resolve the Toems server component being detected as a virus. By this point, both the Toems server and Toec client should both be free of this obnoxious virus false positive. Additionally, all Toems and Toec binaries are now signed, including the Toems installation MSIs. For reasons already discussed, the Toec client installer is not signed, but the binaries inside of the installer are.

Second and more importantly,
A security researcher discovered a privilege escalation vulnerability in Theopenem. This has been patched as of 1.5.8. I'm keeping the details private as to give everyone time to update to this version and will release more information in the coming months. Here is the information I can share at this point:

This vulnerability effects the Toems server only. The Toec client and the Toec-API are not impacted.
It requires that the attacker already have login credentials to Theopenem in order to exploit.
The attack cannot come through the Toec-API, which should be the only potential public facing API. If you have followed the recommendations, your Toems-UI and Toems-API should not be available outside your network. This means the attack surface is limited to only users on your network that also have credentials for Theopenem.

Next steps:
Upon updating to 1.5.8, as a precaution, you should change the password of all local Theopenem users, active directory logins are not effected. You should also reset the password for any impersonation accounts that you have saved into Theopenem.

Documentation on updating to Theopenem 1.5.8 can be found at:
https://docs.theopenem.com/latest/tutorials/updating.html

Feel free to reach out with any questions or concerns.

A quick status update,
I have decided to make the next major release of Theopenem 2.0. This will move the entire code base to .NET 9. I was originally planning to only update the UI in the first phase, but now it makes more sense to just move it all at one time. This will obviously add additional time to the release. I will continue making upgrades to the existing 1.x.x versions as needed.

-Jon

aid

Is there a rough ETA for the full 2.0 release?

theopenem_admin

aid
Not currently.

GrepACE

Thanks for all of your hard work on this Jon!

I about freaked out when SentinelOne decided to flag Toems-Service.dll as a virus. Luckily a quick exclusion and reinstall of the 1.5.7 update got me back up and running.

Should we ever consider updating MariaDB? There's probably security updates available for it as well. Just curious.

Thanks again!

theopenem_admin

MariaDB definitely needs updated, but the newer versions don't work with the current version. The update will have support for the latest versions of MariaDB.