| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <document xmlns="http://maven.apache.org/XDOC/2.0" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd"> |
| <properties> |
| <title>Security Vulnerabilities</title> |
| <author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author> |
| </properties> |
| |
| <body> |
| <section name="Security Vulnerabilities"> |
| <p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the |
| binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version |
| where that vulnerability has been fixed.<br/> |
| <br/> |
| For more information about reporting vulnerabilities, see the |
| <a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/> |
| <br/> |
| <a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a> |
| </p> |
| </section> |
| <section name="Reporting New Security Problems"> |
| <p> |
| Please report any security errors to security@openmeetings.apache.org<br/> |
| <br/> |
| Please NOTE: only security issues should be reported to this list. |
| </p> |
| </section> |
| <section name="CVE-2016-0783 - Predictable password reset token"> |
| <p>Severity: Critical</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> |
| <p>Description: The hash generated by the external password reset function is generated by concatenating the user |
| name and the current system time, and then hashing it using MD5. This is highly predictable and |
| can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings |
| user.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-0784 - ZIP file path traversal"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> |
| <p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu |
| (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially |
| crafted file names within ZIP archives. By uploading an archive containing a file named |
| ../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/ |
| directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd |
| party integrated executable) with a shell script, which would be executed the next time an image file |
| is uploaded and imagemagick is invoked.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description"> |
| <p>Severity: Moderate</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> |
| <p>Description: When creating an event, it is possible to create clickable URL links in the event description. These |
| links will be present inside the event details once a participant enters the room via the event. It is |
| possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As |
| the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard |
| to tell if the link is legit or not.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| <section name="CVE-2016-2164 - Arbitrary file read via SOAP API"> |
| <p>Severity: Critical</p> |
| <p>Vendor: The Apache Software Foundation</p> |
| <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> |
| <p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile |
| methods in the FileService, it is possible to read arbitrary files from the system. This is due to that |
| Java's URL class is used without checking what protocol handler is specified in the API call.<br/> |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a> |
| </p> |
| <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> |
| <p>Credit: This issue was identified by Andreas Lindh</p> |
| </section> |
| </body> |
| </document> |