Kaseya Community

9.3.0.33 Patch Release - 11 December 2017

  • Hello,

    We have just released Kaseya VSA Patch 9.3.0.33:

    http://help.kaseya.com/webhelp/EN/RN/index.asp#40022.htm

    9.3.0.33 Patch Release - 11 December 2017

    Security Fixes

    • Fixed a code execution security issue -- authenticated users have the ability to upload files to the VSA server as required to distribute software and other files, however, in some cases, authenticated users have the ability to execute certain files on the VSA server. File uploads now have additional restricted privileges to prevent execution. (PT-516/SDP-3847)
    • Fixed an authentication bypass security issue -- authenticated users with knowledge of the underlying system have the ability to manipulate inputs to view machines that they are not allowed to view within their VSA scope. (PT-509/APPF-2576)
    • Fixed an arbitrary file read security issue -- authenticated users with knowledge of the underlying VSA system have the ability to download files from the VSA or remote computers whose files have been synced to the VSA. (PT-510/SDP-2047) (PT-511/SDP-2641) (PT-512/SDP-2640) (PT-513/SDP-2639)
    • Fixed a potential SQL injection flaw in the VSA web GUI which can only be accessed by authenticated administrators. (PT-515/APPF-2964)
  • And now it's gone....

  •  

    This is patch 9.3.0.33, for Kaseya VSA 9.3 and should still be available.

    Kaseya VSA Patch 9.4.0.33 was pulled, which I communicated in the following thread:

    http://community.kaseya.com/xsp/f/355/t/23723.aspx

    We are expecting VSA Patch 9.4.0.34 to come out very shortly to correct the issue with the API.

    If you are seeing otherwise, please let me know.