Matrix.org

Disclosing Synapse security advisories

24.05.2023 13:44 — Security — Denis Kasak (dkasak)
Last update: 24.05.2023 13:36

Today we are retroactively publishing advisories for security bugs in Synapse. From oldest to most recent, they are:

GHSA-p9qp-c452-f9r7 (CVE-2022-39374), fixed in Synapse 1.68.0 and affecting all prior versions since Synapse 1.62.0;
GHSA-45cj-f97f-ggwv (CVE-2022-39335), fixed in Synapse 1.69.0 and affecting all prior versions; and finally
GHSA-f3wc-3vxv-xmvr (CVE-2023-32323), fixed in Synapse 1.74.0 and affecting all prior versions.

We strongly advise Synapse operators who are still on earlier Synapse versions to upgrade to the latest version (v1.84.0) or at the very least v1.74.0 (released Dec 2022), to prevent attacks based on these vulnerabilities. Please see the advisories for the full details, including a description of

the vulnerability and potential attacks,
exactly which deployments are vulnerable, and
workarounds and mitigations.

Because these bugs are either related to or exploitable over Matrix federation, we have delayed publishing these advisories until now out of caution. This allowed us to ensure that the majority of Synapse homeservers across the public federation have upgraded to a sufficiently patched version, based on the (opt-in) stats reporting to the Matrix.org foundation.

If you have any questions or comments about this announcement or any of the advisories, e-mail us at [email protected].

Security releases: matrix-js-sdk 24.0.0 and matrix-react-sdk 3.69.0

28.03.2023 00:00 — Releases — Denis Kasak (dkasak)

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a pair of High severity vulnerabilities (CVE-2023-28427 / GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv for matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients should follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The issues involve prototype pollution via events containing special strings in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's ability to process data safely.

Although we have only demonstrated a denial-of-service-style impact, we cannot completely rule out the possibility of a more severe impact due to the relatively extensive attack surface. We have therefore classified this as High severity and strongly recommend upgrading as a precautionary measure.

We found these issues during a codebase audit that we had previously announced in an earlier security release of matrix-js-sdk and matrix-react-sdk. The earlier release had already addressed a set of similar vulnerabilities that were assigned CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 and CVE-2022-36060 / GHSA-2x9c-qwgf-94xr, which we had initially decided not to disclose until the completion of the audit. Now that the audit is finished, we are disclosing those previous advisories as well.

Security release of matrix-appservice-irc 0.35.0 (High severity)

13.09.2022 16:56 — Releases — Denis Kasak (dkasak)

We've released a new version of matrix.org's node-irc 1.3.0 and matrix-appservice-irc 0.35.0, to patch several security issues:

IRC mode operator confusion (Low, GHSA-cq7q-5c67-w39w)
Parsing issue leading to room takeovers (High, GHSA-xvqg-mv25-rwvw)
Undisclosed issue (Moderate, GHSA-r3p6-cg2c-c4qw)

The details of the final vulnerability will be released at a later date, pending an audit of the codebase to ensure it's not affected by other similar vulnerabilities.

The vulnerabilities have been patched in node-irc version 1.3.0 and matrix-appservice-irc 0.35.0. You can get the release on Github.

The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.

Please upgrade your IRC bridge as soon as possible.

The above vulnerabilities were reported by Val Lorentz. Thank you!

Security releases: matrix-js-sdk 19.4.0 and matrix-react-sdk 3.53.0

31.08.2022 18:13 — Releases — Denis Kasak (dkasak)

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a couple of High severity vulnerabilities (reserved as CVE-2022-36059 for the matrix-js-sdk and CVE-2022-36060 for the matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients will follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The vulnerabilities give an adversary who you share a room with the ability to carry out a denial-of-service attack against the affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.

The full vulnerability details will be disclosed at a later date, to give people time to upgrade and us to perform a more thorough audit of the codebase.

Note that while the vulnerability was to our knowledge never exploited maliciously, some unintentional public testing has left some people affected by the bug. We made a best effort to sanitize this to stop the breakage. If you are affected, you may still need to clear the cache and reload your Matrix client for it to take effect.

We thank Val Lorentz who discovered and reported the vulnerability over the weekend.