OXAS-ADV-2023-0002
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2023-03-20
- Current version: 3
- Version status: Final
- Aggregate severity: High
References
Vulnerabilities
CVE-2023-26427: Weak default permissions for noreply.properties
- CVE reference: CVE-2023-26427
- Internal reference: MWB-1994
- CWE: CWE-922 (Insecure Storage of Sensitive Information)
- Discovery date: 2023-01-09
Default permissions for a properties file were too permissive.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N | 3.2 |
Threats
Impact
Local system users could read potentially sensitive information.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-10)
For products
- OX App Suite backend 7.10.6-rev40
Please deploy the provided updates and patch releases. We updated the default permissions for noreply.properties set during package installation.
CVE-2023-26428: Access to other users signatures is not checked
- CVE reference: CVE-2023-26428
- Internal reference: MWB-2008
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
- Discovery date: 2023-01-17
Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
| OX App Suite backend 8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
Threats
Impact
Signatures of other users could be read even though they are not explicitly shared.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-10)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 8.10
Please deploy the provided updates and patch releases. We improved permission handling when requesting snippets that are not explicitly shared with other users.
CVE-2023-26429: User-feedback not sanitized for control characters
- CVE reference: CVE-2023-26429
- Internal reference: MWB-2019
- CWE: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
- Discovery date: 2023-01-23
Control characters were not removed when exporting user feedback content.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N | 3.5 |
| OX App Suite backend 8.10 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N | 3.5 |
Threats
Impact
This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-09)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 8.11
Please deploy the provided updates and patch releases. We now drop all control characters that are not whitespace character during the export.
CVE-2023-26431: SSRF through bypassing denylists via IPV4-mapped IPv6 addresses
- CVE reference: CVE-2023-26431
- Internal reference: MWB-2038
- CWE: CWE-918 (Server-Side Request Forgery (SSRF))
- Discovery date: 2023-02-07
IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 8.10 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
Threats
Impact
Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-16)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 8.11
Please deploy the provided updates and patch releases. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list.
CVE-2023-26432: SMTP capabilities allow excessive memory usage
- CVE reference: CVE-2023-26432
- Internal reference: MWB-2046
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-02-13
When adding an external mail account, processing of SMTP "capabilities" responses are not limited to plausible sizes.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 7.6.3-rev67 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.10 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
Attacker with access to a rogue SMTP service could trigger requests that lead to excessive resource usage and eventually service unavailability.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-13)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 7.6.3-rev68
- OX App Suite backend 8.11
Please deploy the provided updates and patch releases. We now limit accepted SMTP server response to reasonable length/size.
CVE-2023-26433: IMAP capabilities allow excessive memory usage
- CVE reference: CVE-2023-26433
- Internal reference: MWB-2047
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-02-13
When adding an external mail account, processing of IMAP "capabilities" responses are not limited to plausible sizes.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 7.6.3-rev67 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.10 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
Attacker with access to a rogue IMAP service could trigger requests that lead to excessive resource usage and eventually service unavailability.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-13)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 7.6.3-rev68
- OX App Suite backend 8.11
Please deploy the provided updates and patch releases. We now limit accepted IMAP server response to reasonable length/size.
CVE-2023-26434: POP3 capabilities allow excessive memory usage
- CVE reference: CVE-2023-26434
- Internal reference: MWB-2048
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-02-13
When adding an external mail account, processing of POP3 "capabilities" responses are not limited to plausible sizes.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev39 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 7.6.3-rev67 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.10 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
Attacker with access to a rogue POP3 service could trigger requests that lead to excessive resource usage and eventually service unavailability.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-13)
For products
- OX App Suite backend 7.10.6-rev40
- OX App Suite backend 7.6.3-rev68
- OX App Suite backend 8.11
Please deploy the provided updates and patch releases. We now limit accepted POP3 server response to reasonable length/size.
CVE-2023-26435: SSRF using ODT files and "draw" XML fragments
- CVE reference: CVE-2023-26435
- Internal reference: DOCS-4662
- CWE: CWE-918 (Server-Side Request Forgery (SSRF))
- Discovery date: 2023-01-09
It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
Threats
Impact
Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-13)
For products
- OX App Suite office 7.10.6-rev8
Please deploy the provided updates and patch releases. We have improved existing content filters and validators to avoid including any local resources.
CVE-2023-26436: Insecure Deserialization on documentconverterws API lead to Remote Code Execution
- CVE reference: CVE-2023-26436
- Internal reference: DOCS-4701
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
- Discovery date: 2023-02-03
Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev7 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 8.3 |
Threats
Impact
Arbitrary code could be injected that is being executed when processing the request.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-13)
For products
- OX App Suite office 7.10.6-rev8
Please deploy the provided updates and patch releases. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes.