Server Version#:1.18.2.2029
Player Version#:
Hi all
Just wondering what we should be doing about this?
Is there any mitigation strategy? Are earlier versions affected? Any updates from Plex on when a fix might br available?
This seems like a big deal to me.
It is being reviewed by the security team.
We will know more when their investigation is complete.
Is there any sort of ETA? As a precaution is it recommended to take servers offline and keep them local to the LAN?
Expect an official response shortly.
But be advised that this is not really a Plex issue but one of Tautulli.
If you don’t have Tautulli running, no issue.
If you have Tautulli running, but have set it to require authentication when accessed, no issue.
Thats interesting news. I appreciate it
The solution is to enable authentication in Tautulli before publicly publishing it on the internet. Authentication in Tautulli has been a feature since the beginning.
Side note: Will Plex consider having permission scopes for tokens?
Make sure Tautulli requires authentication. If not, anyone can get your Plex Token and use that for access to your server.
Not a big deal at all. Like anything you need to secure anything you expose to the internet. This is not an “exploit” IMO just a terrible security practice by the user of the software. If you forget to lock your door at home and someone comes in and takes all your stuff its not the lock manufactures fault you did not lock your door.
Yeah, it is good practice to secure anything that is exposed to the interwebs.
Connecting some 3rd party app or service to your main plex account and then leaving it open is just foolish.
Agreed on all of the above best practices, but up until I posted, I could not find any public message from plex on what was actually impacted, with the only information out there being that Plex itself had an access control vulnerability.
It will be good to have an official posted response from Plex.
I don’t have any unauthenticated services on my network, nor do I have this tautulli installed. But again. The only public notice about this is vague and specifically mentions Plex, nothing else.
Yes that is because whoever put that CVE in does not know what they are talking about and are trying to make a big deal out of nothing.
Sure. But thats why it is important to prepare an official response, until that happens what is listed in the CVE will stand as “truth” and people should take appropriate steps to protect their networks. Thus is why I posted asking the question here when I couldn’t find any official statement.
In the security world you need to react quickly to this sort of report to protect your assets and then roll back as more information becomes available.
Hello,
We posted our official response here now: Security: Regarding CVE-2018-21031
Sorry it took a little while - but we where notified at the same time as everyone else - the issue was not responsible disclosed to our team directly.
Yes we have 100% considered this. It’s a pretty big change and would probably break older clients so we would have to be careful about it. But It’s definitely something we want to do.
This topic was automatically closed after 90 days. New replies are no longer allowed.
