((OTRS)) Community Edition News

Let's Encrypt SSL Certificates for ((OTRS)) CE

Web applications that store and transmit any kind of sensitive or personal data should only allow secure, encrypted traffic. Yet, the traditional method of installing ((OTRS)) Community Edition didn't really cover this part, leaving it as an exercise for the administrator. And while configuring SSL on a server isn't too difficult, it does require additional work and might take quite a bit of time if things don't go smoothly right away.

Let's Encrypt

We strive to make ((OTRS)) Community Edition more secure and easier to use, not only for end users, but administrators as well, so we thought it's time to address this matter. The new version of our automated Shell Installer utility allows you to easily install a free SSL certificate provided by the non-profit Let's Encrypt project. All you need is to have a domain name pointing to the server on which the system is being installed, and to provide an e-mail address for administrative notifications.

This is how the configuration looks during installation:

SSL certificate configuration

The installed certificate will be automatically renewed, as it is usually the case with Let's Encrypt certificates. The system will also be configured to enforce encrypted connections if a browser tries to connect using plain HTTP.

The updated shell installation tool is now available in the Downloads section and we welcome you to try it out. It is still considered experimental, but will soon be ready for prime time.

((OTRS)) Community Edition Version 6.0.33 Released

Version 6.0.33 of ((OTRS)) Community Edition is now available.

This version comes with several security fixes, including a denial of service vulnerability that potentially allowed an attacker to cause a performance drop or even a complete crash of the system by sending a specially crafted e-mail message. This vulnerability has been discovered by Alberto Molina and reported by OTRS AG in security advisory OSA-2021-16.

In addition to that, this release comes with numerous updates to JavaScript libraries, fixing a number of vulnerabilities discovered in previously distributed versions:

  • CKEditor updated from version 4.16.0 to version 4.17.1
    (fixed several XSS vulnerabilities -- release information: CKEditor 4.17)
  • jQuery UI updated from version 1.12.1 to version 1.13.0
    (fixed several XSS vulnerabilities -- security advisories: GHSA-gpqq-952q-5327, GHSA-j7qv-pgf6-hvh4, GHSA-9gj3-hwp5-pmwc)
  • Moment.js updated from version 2.18.1 to version 2.29.1
    (fixed a ReDoS vulnerability -- release information: moment 2.19.3 changelog)
  • Nunjucks updated from version 3.0.1 to version 3.2.3
    (fixed a prototype pollution vulnerability -- issue description: #1331)

The new version is available for download in the Downloads section as a Shell Installer package, and as compressed source archives.

New Agent User Interface Demo

As our refreshed version of the ((OTRS)) Community Edition agent interface is getting closer and closer to release, we have made it available for testing on our demo server. If you would like to take a peek at how the new interface looks and feels, you are welcome to go to new.demo.otrsce.com and try it out!

You will find a switch at the bottom of the page which toggles between the old and new interface style, making it easy to compare the original look and the refreshed one.

User interface switch

Please keep in mind that this version is not ready for prime time yet, there is still a lot of (mostly) small fixes that need to be made, and we're working on it -- watch this space for updates.

A Demo Says a Thousand Words

When looking for the next help desk system for your company, nothing beats being able to take it for a spin. Our website now allows you to easily try out ((OTRS)) Community Edition by launching your own test instance that you can use for up to 7 days. You can also share a link to the demo if you want to test the system with your workmates.

Enjoy testing the system! And as always, if you need help or have any questions, just let us know.

Delays (but Also Pictures)

If there's one thing that all software projects have in common, it's delays. Our fork of ((OTRS)) Community Edition is no different, it's taking us longer than expected to reach the next planned milestones, so we decided to update our roadmap again and move the release of the refreshed agent interface, as well as the report from our security audit, into early September.

The main reason is that we simply have way more work than we expected building solutions around OTRS CE for our business clients. While this has the positive outcome of growing the user base of the fork, it also means we have less time for the day-to-day development of the core application. To address that, we're working on expanding our team, so hopefully things will improve in the next couple of weeks.

Of course, this doesn't mean we have made no progress on the items on our roadmap. As a teaser, here's a few screenshots showing how the agent interface will look after the refresh (click to enlarge).

Agent dashboard:

Agent dashboard

New phone ticket screen:

New ticket form

Customer users administration screen:

Customer users administration screen

These are still work-in-progress and subject to change, but you get the picture (literally).

And to tease a bit more, we are also working on a few features not included in the roadmap, but ones that we believe will be useful to the users. Watch this space for more information in the next week or two.

Installing OTRS CE with Flying Colors

One of the nuisances of the classic version of ((OTRS)) Community Edition is that when installing the system from source (rather than system software repositories, using e.g. yum or apt), the installation process is a bit tedious. It requires the user to go through a series of configuration tasks, choosing the right variant for their operating system. Why do that manually though when you have a machine that's perfectly capable of following strict instructions?

This lead to the idea of making an installation utility to automate most of this process and make it easier, faster, and less error-prone. Most importantly, we wanted to make the installer user-friendly, so even though it's a command-line application, we decided to use colorful, well-formatted output to clearly communicate what's happening during the installation and to present the user with straightforward, simple choices.

And, in the spirit of classic terminal-based software, we even added an ANSI-art splash screen:

((OTRS)) CE installation welcome screen

At this point the installer is able to perform a full installation of ((OTRS)) Community Edition version 6.0.32 on CentOS 8, and Ubuntu Server support is in the works. Before the first release, we plan to add support for a few more configurations.

Watch the short video below to get a sneak peek at how the tool works and see the complete installation process on a plain CentOS 8 machine:

Our plans for further development of the installer include:

  • Support for more distributions and configurations
  • Support for different databases
  • Support for external database servers
  • Unattended installation mode

With the first release, we will also open source the tool so that the community can participate in its development.

Updates to Development Roadmap

Our 2021 development roadmap has just been updated to reflect some changes to the original timeline that we decided to make.

Most importantly, we have taken more time to work on fixing the security issues both in the base ((OTRS)) Community Edition system, as well as its popular add-ons (namely, new versions of the FAQ and ITSM Configuration Management packages).

The initial idea was to finish the security audit and then release a new version of the software. However, with a number of security issues discovered during the audit, as well as found in other forked versions, we decided it's more important to roll out the security fixes to users as soon as possible rather than wait until the audit is concluded. The result was the recent 6.0.32 release, which saw the light of day last week.

This doesn't mean we made no progress on the items in the roadmap -- here's a few updates on the items planned for the nearest future:

  • Refreshed agent interface - We are making steady progress on subsequent screens and UI elements of the refreshed interface. The first version to make it into a release is planned for the end of June.
  • Easier installation and update process - This has been split into separate items and so far most of our focus was on the new installation part, putting updates aside for later. We plan to have a working solution that we can show to the community around mid-June. Expect some more information next week!
  • Internal security audit - With most of the research work completed, we are in the process of collecting the findings and putting together a report. Our goal is to publish it in the second half of June.

As always, we are open to any comments and suggestions about our plans.

((OTRS)) Community Edition Version 6.0.32 Released

We have just released version 6.0.32 of ((OTRS)) Community Edition.

This is a security release which fixes numerous vulnerabilities discovered during our ongoing security audit, as well as reported in other forked versions of ((OTRS)) Community Edition based on the original project.

We advise all users of previous versions of the software to update to this release to improve the security of their systems and data.

The following security issues are fixed in this release:

  • A serious Cross-Site Scripting (XSS) vulnerability in ticket overview (identified by Znuny GmbH and Nina Knipprath)
  • A regular expression-related denial of service (DoS) vulnerability (identified by Znuny GmbH)
  • Unauthorized listing of ticket recipients via AJAX call (discovered during internal security audit)
  • Unauthorized access to calendar appointment data (discovered during internal security audit)
  • Possible agent and customer user account enumeration through password recovery feature (discovered during internal security audit)
  • Possible agent user account enumeration through public calendar URL (discovered during internal security audit)
  • A minor reflected XSS issue in appointment edit popup (discovered during internal security audit)

Additionally, a few bundled Perl modules have been updated in this release due to security issues in previously distributed versions:

  • LWP updated from version 6.26 to 6.54
  • XML::Simple updated from version 2.24 to 2.25
  • YAML updated from version 1.23 to 1.30

Visit the Downloads section to download this release.

ITSM Configuration Management Package Security Fix Released

Continuing our efforts to ensure the security of ((OTRS)) Community Edition, we have just released a new security fix for one of the popular ITSM packages.

Having just published a fixed version of the FAQ package, the next item on our list was the ITSMConfigurationManagement package, which was the subject of another recent security advisory issued by OTRS AG: OSA-2021-07.

Again, the information provided in the advisory wasn't too specific:

Agents are able to see linked Config Items without permissions, which are defined in General Catalog.

The analysis of the package's source code that we performed revealed that it is possible for an agent to craft a request for a specific version of the config item that they should not be allowed to access, but the system will return the data.

We have implemented a solution and released a new version of the package. It is available for download as an OPM file in the Downloads section.

FAQ Package Security Fix Released

On March 22, OTRS AG have published security advisory OSA-2021-08 concerning a vulnerabililty in the popular FAQ package. According to the brief description in the advisory, the security flaw exposed FAQ articles to agents who shouldn't be allowed to access them:

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category).

Our security specialists have analysed the source code of the package and have identified the likely cause of the vulnerability.

We have released a fixed version of the package as FAQ 6.0.29. It is available for download in the OPM format in the Downloads section.