Advisory publication date: 29th November, 2021
This advisory discloses one medium severity security vulnerability in CloverDX Server. The vulnerability (CVE-2021-42776) is an XXE (XML External Entity) vulnerability in CloverDX Server Console. This vulnerability allows users to read content of local files on CloverDX Server that they might not be able to access otherwise.
The vulnerability can be fixed by upgrading to newer version of CloverDX Server as described in Fixed product versions section below.
Affected product versions
- CloverDX 5.12.0
- CloverDX 5.11.1
- CloverDX 5.11.0
- CloverDX 5.10.x
- CloverDX 5.9.x
- CloverDX 5.8.x (this version is retired and does not receive security fixes)
- CloverDX 5.7.x (this version is retired and does not receive security fixes)
- CloverDX 5.6.x (this version is retired and does not receive security fixes)
- CloverDX 5.5.x (this version is retired and does not receive security fixes)
- All older CloverDX releases are end-of-life and may or may not be impacted by the issue.
Fixed product versions
- CloverDX 5.12.1
- CloverDX 5.11.2
CVE-2021-42776: XML External Entity (XXE) in CloverDX Server Console
CloverDX Server Console had an XXE vulnerability that allowed logged-in users with Import server configuration permission to view files on the Server file system that were outside of their regular sandbox.
- CVSS 3.1 score: 6.2 (medium)
- CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
- CloverDX Bug Tracker: CLO-22021: Possible XML External Entity (XXE) attack during configuration import
We have fixed the vulnerability in CloverDX 5.11.2 and CloverDX 5.12.1. It will also be fixed in all future CloverDX releases (CloverDX 5.13). All CloverDX releases can be downloaded from Customer portal https://support.cloverdx.com/downloads.
What you need to do
We recommend that you upgrade your CloverDX to the latest version (CloverDX 5.12.1). You can find full description of this latest version in CloverDX 5.12.1 Release Notes.
If you cannot upgrade to the latest version:
- If you have CloverDX 5.11.0 or 5.11.1, you can upgrade to CloverDX 5.11.2. Release notes for CloverDX 5.11.2.
- If you have older version of CloverDX (older than CloverDX 5.11.0), we recommend that you upgrade to the latest version. If you are unable to update to the latest version (for example due to CloverDX Server compatibility requirements), you can upgrade to one of the fixed versions mentioned above or apply the mitigation steps mentioned below.
If you are unable to update to one of the fixed CloverDX versions as mentioned above, you can apply following measures to limit the exposure:
- Disable Import server configuration permission for all users that do not require it as part of their work. Since this is a very powerful permission, only very limited group of users should have it enabled. This permission is only necessary when importing configuration and is not needed for regular Server operation. It is therefore possible to disable this permission for everyone if your processes do not require it.
To disable this permission for a user group, make sure group’s permissions are configured like this:
- Import server configuration permission is unchecked (checkbox is blank),
- Server configuration management permission is unchecked (checkbox is either blank or a “dash” symbol),
- Configuration permission is unchecked (checkbox is either blank or a “dash” symbol)
- All permissions permission is set to “dash”.
For more details about permissions see our documentation.
- Limit permissions of your CloverDX Server on the host system. This can be done by ensuring your CloverDX Server runs with limited user that does not have access to any data that is not necessary for its normal operation – e.g., it should not have permissions to see other user’s data etc.
If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list here
If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.
We would like to thank Đoàn Nguyễn for reporting the issue to us.