Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: 67871, 68258 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19 Vendor notification: 2019-10-31 Solution date: 2019-12-09 Public disclosure: 2020-02-19 CVE reference: CVE-2019-18846 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Vulnerability Details: The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist. Risk: Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment. Steps to reproduce: 1. Create a task 2. Use the /ajax/attachment?action=attach API call and provide a URL "datasource": { "identifier": "com.openexchange.url.mail.attachment", "url": "file:///var/file" } Solution: We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses. --- Internal reference: 67874 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19 Vendor notification: 2019-10-31 Solution date: 2019-12-09 Public disclosure: 2020-02-19 Researcher Credits: chbi CVE reference: CVE-2019-18846 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a RSS feed 2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed 3. Monitor the response code Solution: We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout. --- Internal reference: 67931, 68258 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19 Vendor notification: 2019-11-04 Solution date: 2019-12-09 Public disclosure: 2020-02-19 CVE reference: CVE-2019-18846 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files. Steps to reproduce: 1. Create a snippet with HTML content 2. Include a reference to an internal host/service 3. Monitor the response code Solution: We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses. --- Internal reference: 67980 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19 Vendor notification: 2019-11-05 Solution date: 2019-12-09 Public disclosure: 2020-02-19 CVE reference: CVE-2019-18846 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a mail account 2. Use 127.0.0.1:143 as IMAP server 3. Monitor the network socket Solution: We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout. --- Internal reference: 67983 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 Vulnerable component: office Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.2-rev4 Vendor notification: 2019-11-05 Solution date: 2019-12-09 Public disclosure: 2020-02-19 Researcher Credits: chbi CVE reference: CVE-2019-18846 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources. Risk: Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce: 1. Create a OX Documents document 2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg 3. Monitor the response code Solution: We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout. --- Internal reference: 68252 (Bug ID) Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.2 and earlier Vulnerable component: readerengine Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6 Vendor notification: 2019-11-15 Solution date: 2019-12-09 Public disclosure: 2020-02-19 CVE reference: CVE-2019-18846 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist. Risk: Local resources like images or websites could be invoked by end-users and expose their content through the generated image. Steps to reproduce: 1. Create a document and use a image "from URL" 2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng Solution: We now reject redirects and check provided URLs against blacklists and protocol whitelists. --- Internal reference: 68136 (Bug ID) Vulnerability type: Missing escaping (CWE-116) Vulnerable version: 7.10.2 and earlier Vulnerable component: readerengine Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3 Vendor notification: 2019-11-11 Solution date: 2019-12-09 Public disclosure: 2020-02-19 CVE reference: CVE-2019-9853 (LibreOffice) CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Vulnerability Details: We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine. Risk: Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution. Steps to reproduce: 1. n/a Solution: n/a