Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory November 2021

Security advisory November 2021

Avatar
Branislav Repcek
  • Updated
Follow

Advisory publication date: 29th November, 2021

Summary

This advisory discloses one medium severity security vulnerability in CloverDX Server. The vulnerability (CVE-2021-42776) is an XXE (XML External Entity) vulnerability in CloverDX Server Console. This vulnerability allows users to read content of local files on CloverDX Server that they might not be able to access otherwise.

The vulnerability can be fixed by upgrading to newer version of CloverDX Server as described in Fixed product versions section below.

CVE ID(s)

  • CVE-2021-42776

Affected product versions

  • CloverDX 5.12.0
  • CloverDX 5.11.1
  • CloverDX 5.11.0
  • CloverDX 5.10.x
  • CloverDX 5.9.x
  • CloverDX 5.8.x (this version is retired and does not receive security fixes)
  • CloverDX 5.7.x (this version is retired and does not receive security fixes)
  • CloverDX 5.6.x (this version is retired and does not receive security fixes)
  • CloverDX 5.5.x (this version is retired and does not receive security fixes)
  • All older CloverDX releases are end-of-life and may or may not be impacted by the issue.

Fixed product versions

  • CloverDX 5.12.1
  • CloverDX 5.11.2

CVE-2021-42776: XML External Entity (XXE) in CloverDX Server Console

CloverDX Server Console had an XXE vulnerability that allowed logged-in users with Import server configuration permission to view files on the Server file system that were outside of their regular sandbox.

Fix

We have fixed the vulnerability in CloverDX 5.11.2 and CloverDX 5.12.1. It will also be fixed in all future CloverDX releases (CloverDX 5.13). All CloverDX releases can be downloaded from Customer portal https://support.cloverdx.com/downloads.

What you need to do

We recommend that you upgrade your CloverDX to the latest version (CloverDX 5.12.1). You can find full description of this latest version in CloverDX 5.12.1 Release Notes.

If you cannot upgrade to the latest version:

  1. If you have CloverDX 5.11.0 or 5.11.1, you can upgrade to CloverDX 5.11.2. Release notes for CloverDX 5.11.2.
  2. If you have older version of CloverDX (older than CloverDX 5.11.0), we recommend that you upgrade to the latest version. If you are unable to update to the latest version (for example due to CloverDX Server compatibility requirements), you can upgrade to one of the fixed versions mentioned above or apply the mitigation steps mentioned below.

Mitigation

If you are unable to update to one of the fixed CloverDX versions as mentioned above, you can apply following measures to limit the exposure:

  • Disable Import server configuration permission for all users that do not require it as part of their work. Since this is a very powerful permission, only very limited group of users should have it enabled. This permission is only necessary when importing configuration and is not needed for regular Server operation. It is therefore possible to disable this permission for everyone if your processes do not require it.

To disable this permission for a user group, make sure group’s permissions are configured like this:

  • Import server configuration permission is unchecked (checkbox is blank),
  • Server configuration management permission is unchecked (checkbox is either blank or a “dash” symbol),
  • Configuration permission is unchecked (checkbox is either blank or a “dash” symbol)
  • All permissions permission is set to “dash”.

For more details about permissions see our documentation.

  • Limit permissions of your CloverDX Server on the host system. This can be done by ensuring your CloverDX Server runs with limited user that does not have access to any data that is not necessary for its normal operation – e.g., it should not have permissions to see other user’s data etc.

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list here

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

Acknowledgement

We would like to thank Đoàn Nguyễn for reporting the issue to us.

References

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisory November 2022 – Text4Shell Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021