Movable Type 7 r.5005 (7.9.1) / v6.8.5 released because the fix in r.5003 (7.8.2) / 6.8.3 was insufficient. This release fixes the critical security issue that found in XMLRPC API of Movable Type (CVE-2021-20837).
For those of you who use Movable Type 4.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately.
detail of the issue
Through the XMLRPC API of MT (mt-xmlrpc.cgi), OS command injection (RCE) could be performed. This issue may occur when mt-xmlrpc.cgi can be executed on the Internet. The affected versions are Movable Type 4.0 and later, included r.5003(7.8.2), r.5004(7.9.0), 6.8.3 and 6.8.4, recently released.
Workarounds for those who cannot upgrade the latest version
The one of following steps can be taken to avoid or reduce of the affect of the vulnerability.
- Remove the execution permission of mt-xmlrpc.cgi
- Delete the mt-xmlrpc.cgi file
- Restrict the access to mt-xmlrpc.cgi on the Internet
- PSGI env: Set
RestrictedPSGIApp xmlrpcin mt-config.cgi (6.2 and later) or ‘XMLRPCScript long random characters enough not to guess` (6.1 and earlier)
Since Six Apart has already terminated the support of Movable Type 4.x, 5.x, and 6.0.x-6.3.x, we strongly recommend upgrading to the latest version of Movable Type 7 r.5005 or 6.8.5.
- Movable Type r.5005 (v7.9.1)
- Movable Type Advanced r.5005 (v7.9.1)
- Movable Type AMI (via AWS Marketplace) r.5005 (v7.9.1)
- Movable Type Advanced AMI (via AWS Marketplace) r.5005 (v7.9.1)
- Movable Type v6.8.5
- Movable Type Advanced v6.8.5
- Movable Type AMI (via AWS Marketplace) v6.8.5
Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.
How to get Movable Type 7 and 6.8
If you have an existing Movable Type 7 or 6.8 license, you can download the latest Movable Type from our download portal using your Six Apart ID.
Movable Type 6.8 version is subject to LTS (long-term-support) and will have problem fixes and security fixes until 2022. However, In order to use Movable Type 6.5.x/6.6.x/6.7.x/6.8.x, “Pro Unlimited annual license” needs to be renewed every year.