| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document xmlns="http://maven.apache.org/XDOC/2.0" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd"> |
| <properties> |
| <title>Security Vulnerabilities</title> |
| <author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author> |
| </properties> |
| |
| <body> |
| <section name="Security Vulnerabilities"> |
| <p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the |
| binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version |
| where that vulnerability has been fixed.<br/> |
| <br/> |
| For more information about reporting vulnerabilities, see the |
| <a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/> |
| <br/> |
| <a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a> |
| </p> |
| <p> |
| REFERENCES -> permalink to the announce email in archives<br/> |
| Going forward, please include the <b>product and version information</b> in the <b>description</b> itself |
| as well as in the "[PRODUCT]" and "[VERSION]" lines in your submissions. |
| While this may seem redundant, including the information in both places satisfies different use cases and supports automation. |
| </p> |
| </section> |
| <section name="Reporting New Security Problems"> |
| <p> |
| Please report any security errors to security@openmeetings.apache.org<br/> |
| <br/> |
| Please NOTE: only security issues should be reported to this list. |
| </p> |
| </section> |
| <section name="CVE-2018-1325 - Wicket jQuery UI: XSS while displaying value in WYSIWYG editor"> |
| <p>Severity: High</p> |
| <p>Vendor: wicket-jquery-ui</p> |
| <p>Versions Affected: <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1</p> |
| <p>Description: JS code created in WYSIWYG editor will be executed on display<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1325">CVE-2018-1325</a> |
| </p> |
| <p>The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 4.0.3</p> |
| <p>Credit: This issue was identified by Kamil Sevi</p> |
| </section> |
| <section name="CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor"> |
| <p>Severity: High</p> |
| <p>Vendor: wicket-jquery-ui</p> |
| <p>Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8</p> |
| <p>Description: Attacker can submit arbitrary JS code to WYSIWYG editor<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719">CVE-2017-15719</a> |
| </p> |
| <p>The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p> |
| <p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p> |
| </section> |
| <section name="CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls"> |
| <p>Severity: Medium</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.0.0 - 4.0.1</p> |
| <p>Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker |
| to deny service for privileged users.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1286">CVE-2018-1286</a> |
| </p> |
| <p>The issue was fixed in 4.0.2<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p> |
| <p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p> |
| </section> |
| <section name="CVE-2017-7663 - Apache OpenMeetings - XSS in chat"> |
| <p>Severity: High</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.2.0</p> |
| <p>Description: Both global and Room chat are vulnerable to XSS attack<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7663">CVE-2017-7663</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation"> |
| <p>Severity: High</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.1.0</p> |
| <p>Description: Uploaded XML documents were not correctly validated<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7664">CVE-2017-7664</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers"> |
| <p>Severity: High</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF) |
| attacks, XSS attacks, click-jacking, and MIME based attacks<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7666">CVE-2017-7666</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords"> |
| <p>Severity: High</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings uses not very strong cryptographic storage, |
| captcha is not used in registration and forget password dialogs and auth forms |
| missing brute force protection<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7673">CVE-2017-7673</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy"> |
| <p>Severity: Low</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings has an overly permissive |
| crossdomain.xml file. This allows for flash content to be loaded |
| from untrusted domains.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7680">CVE-2017-7680</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services"> |
| <p>Severity: High</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings is vulnerable to SQL injection |
| This allows authenticated users to modify the structure of the existing |
| query and leak the structure of other queries being made by the |
| application in the back-end<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7681">CVE-2017-7681</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass"> |
| <p>Severity: Medium</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.2.0</p> |
| <p>Description: Apache OpenMeetings is vulnerable to parameter manipulation |
| attacks, as a result attacker has access to restricted areas.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7682">CVE-2017-7682</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7683 - Apache OpenMeetings - Information Disclosure"> |
| <p>Severity: Lowest</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings displays Tomcat version and |
| detailed error stack trace which is not secure.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7683">CVE-2017-7683</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload"> |
| <p>Severity: Low</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings doesn't check contents of files |
| being uploaded. An attacker can cause a denial of service by |
| uploading multiple large files to the server<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7684">CVE-2017-7684</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods"> |
| <p>Severity: Lowest</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetingsrespond to the following insecure HTTP |
| Methods: PUT, DELETE, HEAD, and PATCH.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7685">CVE-2017-7685</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update"> |
| <p>Severity: Low</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.0.0</p> |
| <p>Description: Apache OpenMeetings updates user password in insecure manner.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7688">CVE-2017-7688</a> |
| </p> |
| <p>The issue was fixed in 3.3.0<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> |
| <p>Credit: This issue was identified by Security Innovation</p> |
| </section> |
| <section name="CVE-2017-5878 - RED5/AMF Unmarshalling RCE"> |
| <p>Severity: Critical</p> |
| <p>Vendor: Red5</p> |
| <p>Versions Affected: Apache OpenMeetings 3.1.3 and earlier</p> |
| <p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the |
| classes for which it performs deserialization, which allows remote attackers to execute |
| arbitrary code via crafted serialized Java data.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5878">CVE-2017-5878</a> |
| </p> |
| <p>The issue was fixed in 3.1.4<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p> |
| <p>Credit: This issue was identified by Moritz Bechler</p> |
| </section> |
| <section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.1.0</p> |
| <p>Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8736">CVE-2016-8736</a> |
| </p> |
| <p>The issue was fixed in 3.1.2<br/> |
| All users are recommended to upgrade to Apache OpenMeetings 3.1.3</p> |
| <p>Credit: This issue was identified by Jacob Baines, Tenable Network Security</p> |
| </section> |
| <section name="CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 3.1.0</p> |
| <p>Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without |
| being escaped, leading to the reflected XSS.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3089">CVE-2016-3089</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.2</p> |
| <p>Credit: This issue was identified by Matthew Daley</p> |
| </section> |
| <section name="CVE-2016-0783 - Predictable password reset token"> |
| <p>Severity: Critical</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> |
| <p>Description: The hash generated by the external password reset function is generated by concatenating the user |
| name and the current system time, and then hashing it using MD5. This is highly predictable and |
| can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings |
| user.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-0784 - ZIP file path traversal"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> |
| <p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu |
| (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially |
| crafted file names within ZIP archives. By uploading an archive containing a file named |
| ../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/ |
| directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd |
| party integrated executable) with a shell script, which would be executed the next time an image file |
| is uploaded and imagemagick is invoked.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> |
| <p>Description: When creating an event, it is possible to create clickable URL links in the event description. These |
| links will be present inside the event details once a participant enters the room via the event. It is |
| possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As |
| the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard |
| to tell if the link is legit or not.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-2164 - Arbitrary file read via SOAP API"> |
| <p>Severity: Critical</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> |
| <p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile |
| methods in the FileService, it is possible to read arbitrary files from the system. This is due to that |
| Java's URL class is used without checking what protocol handler is specified in the API call.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| </body> |
| </document> |