Need dedicated support? Click here
Need dedicated support?
Click here

Security Vulnerablities in OnlyOffice Workspace

Workspace
#1

Community Server/Control Panel version: 12.1.1194
Type of installation of Workspace (docker, deb/rpm, exe): exe
OS: Windows Server 2016
Browser version: Firefox 109.0 (64-bit)

We tried nessus vulnerability scanner on Onlyoffice Workspace and it has found following issues:

  • PostgreSQL 9.1.x < 9.1.24 / 9.2.x < 9.2.19 / 9.3.x < 9.3.15 / 9.4.x < 9.4.10 / 9.5.x < 9.5.5 / 9.6.x < 9.6.1 Aggregate Functions Use-after-free DoS
  • PostgreSQL 9.3 < 9.3.23 / 9.4 < 9.4.18 / 9.5 < 9.5.13 / 9.6 < 9.6.9 / 10.3 Insecure ACL Remote Issue
  • PostgreSQL 9.5.x < 9.5.22 / 9.6.x < 9.6.18 / 10.x < 10.13 / 11.x < 11.8 / 12.x < 12.3 Arbitrary Code Execution Vulnerability
  • Node.js 12.16.3 < 12.19.1 / 14.13.0 < 14.15.1 / 15.x < 15.2.1 DoS (November 2020 Security Releases)
  • Python Information Disclosure (CVE-2021-3426)
  • Security Update for .NET Core (February 2022)
  • WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)
  • Security Update for .NET Core (February 2023)

Most of these issues are caused due to usage of older versions of Python, Postgrsql, Nodejs, etc. I want to mitigate these issues on a device with no internet connection (private network) by just sharing the required files. Is there any way to secure these vulnerabilities?

#2

Hello @OnlyOfficeTester
What was scanner used? We have to re-check its output result. We are going to start with mentioned CVE-2021-3426 and CVE-2013-3900.

Most of these issues are caused due to usage of older versions of Python, Postgrsql, Nodejs, etc.

As for other lines, it seems that the scanner responded to old component versions, but we’ll check it out too.
I will update this thread when we have something to share.

#4

Update:

  • PostgreSQL 9.1.x < 9.1.24 / 9.2.x < 9.2.19 / 9.3.x < 9.3.15 / 9.4.x < 9.4.10 / 9.5.x < 9.5.5 / 9.6.x < 9.6.1 Aggregate Functions Use-after-free DoS
  • PostgreSQL 9.3 < 9.3.23 / 9.4 < 9.4.18 / 9.5 < 9.5.13 / 9.6 < 9.6.9 / 10.3 Insecure ACL Remote Issue
  • PostgreSQL 9.5.x < 9.5.22 / 9.6.x < 9.6.18 / 10.x < 10.13 / 11.x < 11.8 / 12.x < 12.3 Arbitrary Code Execution Vulnerability

These can be fixed with PostgreSQL update to v.14.7.

#5

We added a bug to internal tracksystem (62063) to update all mentioned components (Nodejs, PotgreSQL, Python). We have started working on it.

#6

Please also make a Zap vulnerability scanner’s Scan as well. It showed high impact vulnerabilities in my report, however I am unable to find the report now.

Also Can I know when will community edition come out with these changes? I guess the latest version is not available in Community edition since last github commit here is quite old: https://github.com/ONLYOFFICE/CommunityServer

It shows v12.0 when latest one’s 12.5. I need it to test out more things

#7

It shows v12.0 when latest one’s 12.5. I need it to test out more things

We already released v.12.5 on our cloud portals (https://www.onlyoffice.com/registration.aspx). But we need a few more days to finish our tests before docker\package\exe releases. We’re planning to release v.12.5 for stand-alone server as soon as possible.