Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX Documents Vendor: OX Software GmbH Internal reference: DOCS-3199 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: imageconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev14, 7.10.4-rev8, 7.10.5-rev5 Vendor notification: 2021-01-26 Solution date: 2021-02-16 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28093 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Converted images are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (Adler32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Image content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two image files that would generate the same hash key 2. Upload both files 3. View Image A 4. View Image B - The content of Image A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions. --- Internal reference: DOCS-3200 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev34, 7.10.4-rev20, 7.10.5-rev7 Vendor notification: 2021-01-26 Solution date: 2021-02-15 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28094 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Converted documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two document files that would generate the same hash key 2. Upload both files 3. View document A 4. View document B - The content of document A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions. --- Internal reference: DOCS-3201 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: office Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev10, 7.10.4-rev8, 7.10.5-rev5 Vendor notification: 2021-01-26 Solution date: 2021-02-15 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28095 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two documents that contain XML structures which create a hash collision 2. Upload both files 3. Edit document A 4. Edit document B - The content of document A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/