Security Vulnerabilities
Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version where that vulnerability has been fixed.
For more information about reporting vulnerabilities, see the Apache Security Team page.
Vulnerability handling guide
Reporting New Security Problems
Please report any security errors to security@openmeetings.apache.org
Please NOTE: only security issues should be reported to this list.
CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 3.1.0
Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack
CVE-2016-8736
The issue was fixed in 3.1.2
All users are recommended to upgrade to Apache OpenMeetings 3.1.3
Credit: This issue was identified by Jacob Baines, Tenable Network Security
CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 3.1.0
Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without being escaped, leading to the reflected XSS.
CVE-2016-3089
All users are recommended to upgrade to Apache OpenMeetings 3.1.2
Credit: This issue was identified by Matthew Daley
CVE-2016-0783 - Predictable password reset token
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description: The hash generated by the external password reset function is generated by concatenating the user name and the current system time, and then hashing it using MD5. This is highly predictable and can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings user.
CVE-2016-0783
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-0784 - ZIP file path traversal
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially crafted file names within ZIP archives. By uploading an archive containing a file named ../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/ directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party integrated executable) with a shell script, which would be executed the next time an image file is uploaded and imagemagick is invoked.
CVE-2016-0784
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-2163 - Stored Cross Site Scripting in Event description
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7
Description: When creating an event, it is possible to create clickable URL links in the event description. These links will be present inside the event details once a participant enters the room via the event. It is possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard to tell if the link is legit or not.
CVE-2016-2163
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-2164 - Arbitrary file read via SOAP API
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7
Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile methods in the FileService, it is possible to read arbitrary files from the system. This is due to that Java's URL class is used without checking what protocol handler is specified in the API call.
CVE-2016-2164
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh