<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><p>This article contains details relating to the SQL Injection vulnerability affecting various versions of Halo.</p><p><span style="color: #000000;" id="isPasted">This security update addresses an issue that could allow malicious actors to execute unauthorised database queries by supplying a carefully constructed payload. &nbsp;</span></p><p><br></p><p><span id="isPasted">The vulnerability was found and reported by a 3rd party Security Research team, and there is no evidence of any exploit in our cloud-hosted environment or for a selection of On-Prem customers that we have worked with.</span></p>

<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><p id="isPasted">Hosted customers have been automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers.&nbsp;</p><p><br></p><p>Halo On-Prem installations should apply the latest patch based on their chosen release channel.</p><p><br></p><ul><li><strong>Stable:&nbsp;</strong>Patched in version 2.174.94 &nbsp;</li><li><strong>Candidate: &nbsp;</strong>Patched in version 2.184.23 &nbsp;</li><li><strong>Beta:&nbsp;</strong>Patched in version 2.186.2 &nbsp;</li></ul><p><u><strong>Details of the issue</strong></u></p><p><br></p><p>The vulnerability is specifically exploited via the &#39;/api/Notify&#39; endpoint, whereby pre-authenticated SQL Injection can be executed as part of interacting with the relevant code for the &#39;LogMeIn Rescue&#39; integration.</p><p><br></p><p><strong><u>Remediation Actions</u></strong></p><p><br></p><p>After the exploit was reported to Halo, all hosted environments were upgraded to relevant patches approximately 6 hours after the initial report was raised. Hosted environments have been checked for instances of exploits, and no evidence of such occurrences has been found.</p><p><br></p><p>Communications have been sent to On-Prem customers advising that they upgrade to one of the above patches <strong>as soon as possible,&nbsp;</strong>highlighting the importance of prioritising such a patch due to security concerns.</p><p><br></p><p><u><strong>Next Steps</strong></u></p><p><br></p><p>No action is required on the part of our hosted customers.</p><p><br></p><p>We will continue to monitor our hosted infrastructure to ensure the same level of service and security that you expect.</p><p><br></p><p>The DevOps team is currently performing a complete code audit for any unauthenticated endpoints, as well as requesting that our contracted 3rd party attack surface/vulnerability management partners perform additional code audits.</p><p><br></p><p>This particular instance was using a function of our application that is no longer in use for newly submitted changes.</p><p><br></p><p>Full details will be shared by the 3rd party vulnerability management team shortly.</p>