The Joomla Project does not generally issue advisory notices about third party libraries or extensions.
An exception has been made in this instance in respect of a recently identified remote code execution vulnerability in the PHPMailer Library used by the Joomla! CMS (all versions from 1.6.0 - 3.6.5).
Reason: severity of the potential security threat.
The good news
The Joomla! Security Strike Team (JSST) has determined that whilst the core Joomla! CMS (all versions from 1.6.0 - 3.6.5) is not using the latest patched version of PHPMailer (v5.2.18), it is sufficiently protected from triggering the identified PHPMailer Library vulnerability without a need for a Joomla! CMS Security Fix.
The Joomla! Project will instead include PHPMailer Library v5.2.18 or later in the next scheduled release of the Joomla! CMS.
The bad news
The PHPMailer Library is also used by a number of 3rd party extensions.
The JSST has identified that those 3rd party extensions which either:
- bundle i.e. use a separate version of the PHPMailer Library, or
- do not use the Joomla! API to send email
are potentially vulnerable to remote code execution unless using the latest patched version of PHPMailer Library.
What action should you take?
If you DO NOT USE a 3rd party extension which uses the PHPMailer Library then you should not need to take any action.
If you DO USE a 3rd party extension which uses the PHPMailer Library then you should:
- visit the relevant extension developer's forum for news of a related Security Fix, and
- perform a full back up of your Joomla! CMS, just in case your website is affected by the vulnerability.
You may of course not be aware of whether or not any of your website's extensions use a separate version of the PHPMailer Library.
We would therefore advise that all Joomlers perform a full backup of their website just in case.
You should also keep a look out for extension updates over the next hours and days.
If you suspect or know that your website is using an extension which uses a separate version of the PHPMailer Library and you do not receive notice of any updates in this time then you should contact the developer.
Do not rely solely on your Joomla! CMS's Updater Plugin for news of extension updates.
We know from experience that not all extensions:
- are flagged by the Joomla! Updater Plugin, or
- have their latest available release listed in the Joomla! Extension Directory (JED).
So check the developer's downloads page using the link in the JED.
Chestnuts roasting on an open fire
Forgive the pun. It is Christmas after all!
Protect your website by:
- performing regular routine backups of your website,
- frequently checking for news of Joomla! CMS & 3rd party extension updates,
- promptly implementing security fixes,
- using as few 3rd party extensions as possible,
- being aware of those 3rd party extensions that are used by your website.
WYNCHCO Joomla! CMS Support
We coach, help and support managers with responsibility for Joomla! websites in organisations across Cheshire, Manchester, Merseyside, North West England & the UK.