Technology
Open-Xchange issues fixes for RCE, SSRF bugs in OX App Suite
Security release also includes precautionary patches for potential Log4j-like flaw in Logback library.
Diversified technology and infrastructure software provider Open-Xchange has released fixes for several security vulnerabilities impacting OX App Suite.
Available as an on-premise solution or as part of the organization’s cloud offering, OX App Suite is secure email and collaboration software designed for telcos, web hosting firms, and service providers.
The latest patch release includes fixes for two remote code execution (RCE) vulnerabilities that were discovered in the software’s document converter component. CVE-2022-23100 and CVE-2022-24405 earned CVSS scores of 8.2 and 7.3, respectively.
The document converter API was also found to harbor a server-side request forgery (SSRF) vulnerability (CVE-2022-24406) that potentially allowed attackers to predict multipart-formdata boundaries and overwrite its content.
Preemptive patches
Further down the severity list are two cross-site scripting (XSS) flaws impacting OX App Suite (CVE-2022-23099, CVE-2022-23101). In order to exploit these flaws, an attacker would need to force a victim to click on a malicious link.
In the wake of the Log4Shell issue that rocked the global software development industry last December, OX App Suite also includes an update that addresses a similar potential issue in the Logback component (CVE-2021-42550).
“At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration,” the Open-Xchange security advisory reads.
“We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.”
External input
When asked whether the vulnerabilities were discovered as part of the company’s bug bounty program, Open-Xchange CISO Martin Heiland told The Daily Swig: “For this advisory, it was a 50/50 thing. We use input from the bug bounty program as inspiration for our internal research.
“In this case, the full impact of a seemingly ‘medium’ issue reported via the bounty program led to a thorough review process and discovery of a potential remote code execution flaw.”
Heiland added: “Combining internal reviews with external input makes our program very impactful and helps with continuous learning and challenging of our engineering teams. I have been running the bug bounty program for about six years, and it has been very successful for our web applications.”
The vulnerabilities impact OX App Suite versions 7.10.6 and earlier. They have all been fixed by the vendor in various branch updates.
“Most users run automated deployment and our own hosted service uses ‘cloud native’ automation/orchestration, which allows very swift updates,” Heiland said. “Of course, we advise updating as soon as possible, regardless of the deployment method.”
-
Technology2 years ago
VoIP Number: Everything You Need To Know
-
Music3 weeks ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
-
Music2 weeks ago
[INSTRUMENTAL] John Legend – All Of Me
-
Music3 weeks ago
Alan Walker – Faded [INSTRUMENTAL]
-
Music2 weeks ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
-
Music2 weeks ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
-
ANE Stories3 months ago
[STORY] AMAKA THE LESBIAN (Complete Episodes)
-
Music3 weeks ago
[Music] Akon – Sorry Blame It On Me