Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory April 2021

Security advisory April 2021

Avatar
Pavel Najvar
  • Updated
Follow

Publication date: 12 April 2021

This advisory discloses two high severity security vulnerabilities in CloverDX Server. The first vulnerability (CVE-2021-29995) is an XSS vulnerability in CloverDX Server Simple HTTP API while the second one (CVE-2021-30133) is a CSRF vulnerability in CloverDX Server – see below for more details.

Both vulnerabilities affect the same versions of CloverDX Server and can be fixed by upgrading to newer CloverDX release as detailed below.

CVE ID(s)

  • CVE-2021-30133
  • CVE-2021-29995

Affected product versions

  • CloverDX 5.9.0
  • CloverDX 5.8.1
  • CloverDX 5.8.0
  • CloverDX 5.7.0
  • CloverDX 5.6.x (this version is retired and does not receive security fixes)
  • CloverDX 5.5.x (this version is retired and does not receive security fixes)
  • CloverDX 5.4.x (this version is retired and does not receive security fixes)
  • CloverDX 5.3.x (this version is retired and does not receive security fixes)
  • All older CloverDX releases are end-of-life and may or may not be impacted by the issue.

Fixed product versions

  • CloverDX 5.10.0
  • CloverDX 5.9.1
  • CloverDX 5.8.2
  • CloverDX 5.7.1

 

CVE-2021-30133: Cross-site scripting (XSS) in CloverDX Server Simple HTTP API

CloverDX Server’s Simple HTTP API had an XSS vulnerability that allowed remote attacker to inject arbitrary script or HTML via sessionToken parameter of the API methods. Every Simple HTTP API method was affected by this vulnerability.

 

CVE-2021-29995: Cross site request forgery (CSRF) leading to Remote Code Execution on the CloverDX Server

CloverDX Server had a cross site request forgery (CSRF) vulnerability that allowed remote attacker to execute any action as logged-in user once the user clicked on a link to attacker-controller website. Since many users can run arbitrary jobs from CloverDX Server Console, this vulnerability allowed the attacker to execute any code including shell scripts.

 

 

Fix

For both vulnerabilities, we have taken the following steps:

  • Released CloverDX 5.10.0, CloverDX 5.9.1, CloverDX 5.8.2 and CloverDX 5.7.1 which contain fixes for both issues and can be downloaded from our customer portal from https://support.cloverdx.com/downloads.

 

What you need to do

We recommend that you upgrade your CloverDX to the latest version (CloverDX 5.10.0). You can find full description of the latest version in CloverDX 5.10.0 Release Notes.

If you cannot upgrade to the latest version:

  1. If you have CloverDX 5.9.0, you can upgrade to CloverDX 5.9.1. Release notes for CloverDX 5.9.1.
  2. If you have CloverDX 5.8.0 or CloverDX 5.8.1, you can upgrade to CloverDX 5.8.2. Release notes for CloverDX 5.8.2.
  3. If you have CloverDX 5.7.0, you can upgrade to CloverDX 5.7.1. Release notes for CloverDX 5.7.1.
  4. If you have an older version of CloverDX (before CloverDX 5.7.0), we recommend that you upgrade to the latest version. If you are unable to update to the latest version (for example due to CloverDX Server compatibility requirements), you can upgrade to one of the fixed versions mentioned above or apply the mitigation steps mentioned below.

 

Mitigation

If you are unable to update to one of the fixed CloverDX versions as mentioned above, you can apply following temporary measures to limit the exposure:

  • Disable Simple HTTP API if you are not using it. This can be done in Server configuration via http.api.enabled configuration property. See the documentation for more details.
  • Ensure that your CloverDX Sever instances are properly protected via firewall configuration and are not accessible from the internet unless necessary.
  • Review Post-installation best practices and ensure that you follow the best practices described there.
  • Restrict the ability to call any CloverDX API endpoint to your internal network only. This can be done by configuring firewall to deny connections to CloverDX APIs from external network.
  • Limit user permissions for users in the system:
    • Ensure that only limited group of users have administrative permissions on the Server.
    • Reduce permissions of all users to prevent them from creating or editing tasks executed by CloverDX Server automation. In particular, prevent users from creating or editing Scheduling, Event Listeners or Data Services. See the documentation about user groups here.
    • Restrict user accounts that do not require write access to sandboxes so that they only have read-only sandbox access. This can be done on per sandbox basis. See more details in our documentation.

 

Support

If you want to receive security information and updates directly from us, please subscribe to the CloverDX Security Alerts mailing list here.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

 

Acknowledgement

We would like to thank Patryk Bogusz for reporting both issues covered in this security advisory.

 

References

 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisory November 2022 – Text4Shell Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021