openmeetings-server/src/site/xdoc/security.xml - openmeetings - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
  -->
 <document xmlns="http://maven.apache.org/XDOC/2.0"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
 	<properties>
 		<title>Security Vulnerabilities</title>
 		<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
 	</properties>

 	<body>
 		<section name="Security Vulnerabilities">
 			<p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the
 				binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
 				where that vulnerability has been fixed.<br/>
 				<br/>
 				For more information about reporting vulnerabilities, see the
 				<a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/>
 				<br/>
 				<a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a>
 			</p>
 		</section>
 		<section name="Reporting New Security Problems">
 			<p>
 				Please report any security errors to security@openmeetings.apache.org<br/>
 				<br/>
 				Please NOTE: only security issues should be reported to this list.
 			</p>
 		</section>
 		<section name="CVE-2016-0783 - Predictable password reset token">
 			<p>Severity: Critical</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
 			<p>Description: The hash generated by the external password reset function is generated by concatenating the user
 				name and the current system time, and then hashing it using MD5. This is highly predictable and
 				can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
 				user.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-0784 - ZIP file path traversal">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
 			<p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
 				(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
 				crafted file names within ZIP archives. By uploading an archive containing a file named
 				../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
 				directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
 				party integrated executable) with a shell script, which would be executed the next time an image file
 				is uploaded and imagemagick is invoked.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
 			<p>Description: When creating an event, it is possible to create clickable URL links in the event description. These
 				links will be present inside the event details once a participant enters the room via the event. It is
 				possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
 				the link is placed within an &lt;a&gt; tag, the actual link is not visible to the end user which makes it hard
 				to tell if the link is legit or not.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-2164 - Arbitrary file read via SOAP API">
 			<p>Severity: Critical</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
 			<p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
 				methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
 				Java's URL class is used without checking what protocol handler is specified in the API call.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 	</body>
 </document>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<document xmlns="http://maven.apache.org/XDOC/2.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
	<properties>
	<title>Security Vulnerabilities</title>
	<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
	</properties>

	<body>
	<section name="Security Vulnerabilities">
	<p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the
	binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
	where that vulnerability has been fixed.<br/>
	<br/>
	For more information about reporting vulnerabilities, see the
	<a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/>
	<br/>
	<a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a>
	</p>
	</section>
	<section name="Reporting New Security Problems">
	<p>
	Please report any security errors to security@openmeetings.apache.org<br/>
	<br/>
	Please NOTE: only security issues should be reported to this list.
	</p>
	</section>
	<section name="CVE-2016-0783 - Predictable password reset token">
	<p>Severity: Critical</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
	<p>Description: The hash generated by the external password reset function is generated by concatenating the user
	name and the current system time, and then hashing it using MD5. This is highly predictable and
	can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
	user.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-0784 - ZIP file path traversal">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
	<p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
	(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
	crafted file names within ZIP archives. By uploading an archive containing a file named
	../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
	directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
	party integrated executable) with a shell script, which would be executed the next time an image file
	is uploaded and imagemagick is invoked.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
	<p>Description: When creating an event, it is possible to create clickable URL links in the event description. These
	links will be present inside the event details once a participant enters the room via the event. It is
	possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
	the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard
	to tell if the link is legit or not.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-2164 - Arbitrary file read via SOAP API">
	<p>Severity: Critical</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
	<p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
	methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
	Java's URL class is used without checking what protocol handler is specified in the API call.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	</body>
	</document>