[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Open-Xchange Security Advisory 2021-07-19
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2021-07-19 8:29:53
Message-ID: 1403649540.128.1626683393635 () appsuite-dev-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX Documents
Vendor: OX Software GmbH
Internal reference: DOCS-3199
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: imageconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev14, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-16
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28093
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)
Vulnerability Details:
Converted images are cached for faster processing when requesting the same resource again. This \
cache used a weak mechanisms (Adler32) to create cache keys, vulnerable accidental or \
purposeful hash colissions.
Risk:
Image content could be swapped by hash key colissions, resulting in a loss of confidentiality \
or integrity.
Steps to reproduce:
1. Create two image files that would generate the same hash key
2. Upload both files
3. View Image A
4. View Image B - The content of Image A will be served from the cache
Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.
---
Internal reference: DOCS-3200
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev34, 7.10.4-rev20, 7.10.5-rev7
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28094
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)
Vulnerability Details:
Converted documents are cached for faster processing when requesting the same resource again. \
This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or \
purposeful hash colissions.
Risk:
Document content could be swapped by hash key colissions, resulting in a loss of \
confidentiality or integrity.
Steps to reproduce:
1. Create two document files that would generate the same hash key
2. Upload both files
3. View document A
4. View document B - The content of document A will be served from the cache
Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.
---
Internal reference: DOCS-3201
Vulnerability type: Improper Authorization (CWE-285)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev10, 7.10.4-rev8, 7.10.5-rev5
Vendor notification: 2021-01-26
Solution date: 2021-02-15
Public disclosure: 2021-07-19
CVE reference: CVE-2021-28095
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)
Vulnerability Details:
Documents are cached for faster processing when requesting the same resource again. This cache \
used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash \
colissions.
Risk:
Document content could be swapped by hash key colissions, resulting in a loss of \
confidentiality or integrity.
Steps to reproduce:
1. Create two documents that contain XML structures which create a hash collision
2. Upload both files
3. Edit document A
4. Edit document B - The content of document A will be served from the cache
Solution:
We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic