Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory August 2024

Security advisory August 2024

Avatar
Branislav Repcek
  • Updated
Follow

Last updated date: 12th August 2024

Advisory publication date: 6th August 2024

Summary

This advisory discloses one medium vulnerability that can lead to CloverDX Server granting all user groups defined on the Server all permissions (i.e., the root permission ALL) after a Server restart.

All supported versions of CloverDX now have a fix available.

Am I affected?

This vulnerability affects all CloverDX Server versions prior to CloverDX 6.5.0 (i.e., CloverDX 6.5.0 and newer releases are not affected).

If you are affected, review the What you need to do section below. We have now released fixes for all supported affected versions of CloverDX.

CVE ID(s)

  • CVE not assigned

Affected product versions

  • CloverDX 6.4.x before 6.4.2
  • CloverDX 6.3.x before 6.3.2
  • CloverDX 6.2.x before 6.2.2
  • CloverDX 6.1.x or older – these product versions are Retired or End of Life and no longer receive security fixes.

Fixed product versions

Vulnerabilities

Permissions set to ALL for all groups on CloverDX Server after restart

CloverDX Server permission model is based on a concept of groups. Each group defines access permissions to different parts of the platform for members of that group. Each user can then be a member of any number of groups with their effective permissions computed as union of all group permissions they are members of.

As a safeguard against locking all users out of the Server, the Server implements a process called OperationAllPermissionInstaller that verifies if there is at least one administrator account configured on the Server after each restart. If not, the Server automatically assigns permission called ALL (the root permission) to all groups on the Server.

This process is implemented in every version of CloverDX Server prior to CloverDX 6.5.0 where the approach was changed and the Server no longer allow such invalid configuration to be saved.

Fix

We recommend all customers upgrade to CloverDX 6.5.0 where the vulnerability is not present or to one of the fixed product versions (CloverDX 6.2.2 or 6.3.2).

What you need to do

  • 6.5.x users – no need to do anything, CloverDX 6.5.0 is not affected by this vulnerability.
  • 6.4.x before 6.4.2 users – disable the OperationAllPermissionInstaller and then update to 6.4.2 (easy update) or upgrade to the latest version of CloverDX.
  • 6.3.x before 6.3.2 users – disable the OperationAllPermissionInstaller and then update to 6.3.2 (easy update) or upgrade to the latest version of CloverDX.
  • 6.2.x before 6.2.2 users – disable the OperationAllPermissionInstaller and then update to 6.2.2 (easy update) or upgrade to the latest version of CloverDX.
  • Older versions – upgrade to CloverDX 6.5.0 (recommended) or any other fixed version mentioned above.

Mitigation

The OperationAllPermissionInstaller can be easily disabled via CloverDX Server configuration. To disable this process, simply set the installer.OperationAllPermissionInstaller.enabled property to false.

This can be done via CloverDX Server Console: log-in as administrator and go to Configuration > Setup > Configuration file and add a line like this:

installer.OperationAllPermissionInstaller.enabled = false

Save the configuration file and then restart CloverDX Server (note that restart of the Worker is not enough - whole Server must be restarted for the setting to take effect).

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

References

Update history

  • 2024-08-12 – Updated list of fixed product version, minor wording updates.
  • 2024-08-06 – This advisory was first published.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisory November 2022 – Text4Shell Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021