Date: 16 February 2023.
The Joomla! Project has announced the release of Joomla! 4.2.8.
Joomla! 4.2.8 is a Critical Security Release which addresses a critical security vulnerability in the web services API.
It is essential that users of Jomla! 4.x update their website without delay.
Affected Joomla! Versions include 4.0.0 - 4.2.7.
The Joomla! Project also advise changing some key passwords.
"This release only contains the security fix; no other changes have been made compared to the Joomla! 4.2.7 release.
After the release, we strongly advise you to renew the passwords for all credentials that are stored in the global site configuration, namely:
- HTTP proxy
The issue has been reported in a responsible disclosure process, there have been no signs of exploitation on public sites."
Source: The Joomla! Project.
All of the above settings can be found under the Server tab in Global Configuration.
"An application programming interface (API) is a way for two or more computer programs to communicate with each other."
If you cannot update your Joomla! 4.x website to v4.2.8 then you may wish to consider installing Akeeba Admin Tools, which adds a Web Application Firewall to your website.
Reason: the developer has added a new feature to Akeeba Admin Tools v7.2.3 which enables you to patch the vulnerability which is addressed by Joomla! 4.2.8.
Read the extract from the Akeeba Admin Tools v7.2.3 Release Notes - see below - to learn just how critical it is to update your website to Joomla! 4.2.8.
Or to install Akeeba Admin Tools v7.2.3.
"Block Joomla API exploitation in Joomla 4.0 to 4.2.
Joomla 4.0-Beta2 up to and including Joomla 4.2.7 have had a critical security issue in the Joomla API which would allow an attacker to bypass the API authentication, allowing the(m) to read (but not modify) information from your site.
This would even allow them to read the contents of your configuration.php file which contains all the secrets such as your database connection information, email server configuration, and the secret key used for the security tokens and settings encryption on your site.
This issue was addressed in Joomla 4.2.8.
If for any reason you are unable to upgrade to Joomla 4.2.8 you are advised to immediately install Admin Tools Professional 7.2.3 which contains an automatic mitigation for this issue."
Why you should act quickly when security updates are announced
The Minutes of The Joomla! Project's Production Department meeting held on 21 February 2023 include the following statement made by the Security Strike Team:
- "First automated attack waves have been registered in less than 12 hours after the release".
Are you still using Joomla! 3.10 or earlier?
If you are still using an older version of Joomla! CMS with your website then be aware that the clock is ticking.
Joomla! Project support for Joomla! 3.10 ends completely in August 2023.
No earlier versions of the Joomla! CMS are supported by The Joomla! Project.
If you need help migrating your website to Joomla! 4.2, just ask.
The HTACCESS file included with the Joomla! 4.2 version of Joomla! CMS includes the following comment.
# If you are using an OpenLiteSpeed web server then any changes made to this file will
# not take effect until you have restarted the web server.
What is OpenLiteSpeed?
How should you respond?
Click the blue button to enable the Multi-factor Authentication Plugins introduced with Joomla! 4.2.
Back up before updating the Joomla! CMS
Any update can break your website.
Perform a FULL backup of your website (database and files) before installing any update.
Protect your Joomla! website
We recommend that you protect your assets by installing a Web Application Firewall.
Need help, just ask.
Make Joomla! CMS Security your #1 Priority
We offer Joomla! coaching, help and support to businesses and organisations across Cheshire, Manchester, Merseyside, North West England & the UK.