Publication date: 12 April 2021
This advisory discloses two high severity security vulnerabilities in CloverDX Server. The first vulnerability (CVE-2021-29995) is an XSS vulnerability in CloverDX Server Simple HTTP API while the second one (CVE-2021-30133) is a CSRF vulnerability in CloverDX Server – see below for more details.
Both vulnerabilities affect the same versions of CloverDX Server and can be fixed by upgrading to newer CloverDX release as detailed below.
Affected product versions
- CloverDX 5.9.0
- CloverDX 5.8.1
- CloverDX 5.8.0
- CloverDX 5.7.0
- CloverDX 5.6.x (this version is retired and does not receive security fixes)
- CloverDX 5.5.x (this version is retired and does not receive security fixes)
- CloverDX 5.4.x (this version is retired and does not receive security fixes)
- CloverDX 5.3.x (this version is retired and does not receive security fixes)
- All older CloverDX releases are end-of-life and may or may not be impacted by the issue.
Fixed product versions
- CloverDX 5.10.0
- CloverDX 5.9.1
- CloverDX 5.8.2
- CloverDX 5.7.1
CVE-2021-30133: Cross-site scripting (XSS) in CloverDX Server Simple HTTP API
CloverDX Server’s Simple HTTP API had an XSS vulnerability that allowed remote attacker to inject arbitrary script or HTML via sessionToken parameter of the API methods. Every Simple HTTP API method was affected by this vulnerability.
- CVSS 3.1 Score: 8.8
- CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O
- CloverDX bug tracker: CLO-20814: Remove the XSS vulnerability from the error page
CVE-2021-29995: Cross site request forgery (CSRF) leading to Remote Code Execution on the CloverDX Server
CloverDX Server had a cross site request forgery (CSRF) vulnerability that allowed remote attacker to execute any action as logged-in user once the user clicked on a link to attacker-controller website. Since many users can run arbitrary jobs from CloverDX Server Console, this vulnerability allowed the attacker to execute any code including shell scripts.
- CVSS 3.1 Score: 8.8
- CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O
- CloverDX bug tracker: CLO-20786: Update JSF to version 2.2.16
For both vulnerabilities, we have taken the following steps:
- Released CloverDX 5.10.0, CloverDX 5.9.1, CloverDX 5.8.2 and CloverDX 5.7.1 which contain fixes for both issues and can be downloaded from our customer portal from https://support.cloverdx.com/downloads.
What you need to do
We recommend that you upgrade your CloverDX to the latest version (CloverDX 5.10.0). You can find full description of the latest version in CloverDX 5.10.0 Release Notes.
If you cannot upgrade to the latest version:
- If you have CloverDX 5.9.0, you can upgrade to CloverDX 5.9.1. Release notes for CloverDX 5.9.1.
- If you have CloverDX 5.8.0 or CloverDX 5.8.1, you can upgrade to CloverDX 5.8.2. Release notes for CloverDX 5.8.2.
- If you have CloverDX 5.7.0, you can upgrade to CloverDX 5.7.1. Release notes for CloverDX 5.7.1.
- If you have an older version of CloverDX (before CloverDX 5.7.0), we recommend that you upgrade to the latest version. If you are unable to update to the latest version (for example due to CloverDX Server compatibility requirements), you can upgrade to one of the fixed versions mentioned above or apply the mitigation steps mentioned below.
If you are unable to update to one of the fixed CloverDX versions as mentioned above, you can apply following temporary measures to limit the exposure:
- Disable Simple HTTP API if you are not using it. This can be done in Server configuration via http.api.enabled configuration property. See the documentation for more details.
- Ensure that your CloverDX Sever instances are properly protected via firewall configuration and are not accessible from the internet unless necessary.
- Review Security Recommendations for CloverDX Server article and ensure that you follow the best practices described there.
- Restrict the ability to call any CloverDX API endpoint to your internal network only. This can be done by configuring firewall to deny connections to CloverDX APIs from external network.
- Limit user permissions for users in the system:
- Ensure that only limited group of users have administrative permissions on the Server.
- Reduce permissions of all users to prevent them from creating or editing tasks executed by CloverDX Server automation. In particular, prevent users from creating or editing Scheduling, Event Listeners or Data Services. See the documentation about user groups here.
- Restrict user accounts that do not require write access to sandboxes so that they only have read-only sandbox access. This can be done on per sandbox basis. See more details in our documentation.
If you want to receive security information and updates directly from us, please subscribe to the CloverDX Security Alerts mailing list here.
If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.
We would like to thank Patryk Bogusz for reporting both issues covered in this security advisory.