Today we are retroactively publishing advisories for security bugs in Synapse. From oldest to most recent, they are:
We strongly advise Synapse operators who are still on earlier Synapse versions to upgrade to the latest version (v1.84.0) or at the very least v1.74.0 (released Dec 2022), to prevent attacks based on these vulnerabilities. Please see the advisories for the full details, including a description of
- the vulnerability and potential attacks,
- exactly which deployments are vulnerable, and
- workarounds and mitigations.
Because these bugs are either related to or exploitable over Matrix federation, we have delayed publishing these advisories until now out of caution. This allowed us to ensure that the majority of Synapse homeservers across the public federation have upgraded to a sufficiently patched version, based on the (opt-in) stats reporting to the Matrix.org foundation.
If you have any questions or comments about this announcement or any of the advisories, e-mail us at [email protected].
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to
patch a pair of High severity vulnerabilities
(CVE-2023-28427
/ GHSA-mwq8-fjpf-c2gr
for matrix-js-sdk and
CVE-2023-28103
/ GHSA-6g43-88cp-w5gv
for matrix-react-sdk).
Affected clients include those which depend on the affected libraries, such as
Element Web/Desktop and Cinny. Releases of the affected clients should follow
shortly. We advise users of those clients to upgrade at their earliest
convenience.
The issues involve prototype pollution via events containing special strings in
key locations, which can temporarily disrupt normal functioning of
matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's
ability to process data safely.
Although we have only demonstrated a denial-of-service-style impact, we cannot
completely rule out the possibility of a more severe impact due to the
relatively extensive attack surface. We have therefore classified this as High
severity and strongly recommend upgrading as a precautionary measure.
We found these issues during a codebase audit that we had previously
announced
in an earlier security release of matrix-js-sdk and matrix-react-sdk. The
earlier release had already addressed a set of similar vulnerabilities that
were assigned
CVE-2022-36059
/ GHSA-rfv9-x7hh-xc32
and
CVE-2022-36060
/ GHSA-2x9c-qwgf-94xr,
which we had initially decided not to disclose until the completion of the
audit. Now that the audit is finished, we are disclosing those previous
advisories as well.
We will be releasing a security update to matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 and clients which implement end-to-end encryption with these libraries, to patch critical security issues, on Wed, Sept 28th. The releases will be published in the afternoon, followed by the disclosure blog post around 16:00 UTC. The affected clients include Element Web, Desktop, iOS and Android. We will also be working with downstream packagers and forks over the coming days to ensure a synchronised release to address affected clients.
Clients using matrix-rust-sdk, hydrogen-sdk and matrix-nio are not affected by these critical issues. We are also auditing third-party client SDKs and clients in advance of the release, and will work with the projects if action is needed. So far we've confirmed that other popular SDK/clients including mtxclient (nheko), Matrix Dart SDK (FluffyChat), Trixnity (Timmy), Syphon, mautrix-go (Gomuks) and mautrix-python are not affected by the issues in question.
If you maintain or package a (potentially) affected E2EE-capable Matrix client and need to coordinate on the release, please contact [email protected].
We advise to upgrade as soon as possible after the patched versions are released.
Thank you for your patience while we work to resolve this issue.
We've released a new version of matrix.org's node-irc 1.3.0 and
matrix-appservice-irc 0.35.0, to patch several security issues:
The details of the final vulnerability will be released at a later date,
pending an audit of the codebase to ensure it's not affected by other similar
vulnerabilities.
The vulnerabilities have been patched in node-irc version 1.3.0 and
matrix-appservice-irc 0.35.0. You can get the release on
Github.
The bridges running on the Libera Chat, OFTC and other networks bridged by the
Matrix.org Foundation have been patched.
Please upgrade your IRC bridge as soon as possible.
The above vulnerabilities were reported by Val
Lorentz. Thank you!
Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to
patch a couple of High severity vulnerabilities (reserved as
CVE-2022-36059
for the matrix-js-sdk and
CVE-2022-36060
for the matrix-react-sdk).
Affected clients include those which depend on the affected libraries, such as
Element Web/Desktop and Cinny. Releases of the affected clients will follow
shortly. We advise users of those clients to upgrade at their earliest
convenience.
The vulnerabilities give an adversary who you share a room with the ability to
carry out a denial-of-service attack against the affected clients, making it
not show all of a user's rooms or spaces and/or causing minor temporary
corruption.
The full vulnerability details will be disclosed at a later date, to give
people time to upgrade and us to perform a more thorough audit of the codebase.
Note that while the vulnerability was to our knowledge never exploited
maliciously, some unintentional public testing has left some people affected by
the bug. We made a best effort to sanitize this to stop the breakage. If you
are affected, you may still need to clear the cache and reload your Matrix
client for it to take effect.
We thank Val Lorentz who discovered and
reported the vulnerability over the weekend.
Hey everyone!
Today we're exceptionally releasing Synapse
1.61.1, which comes
as a security release. Server administrators are encouraged to update as soon as
possible.
This release fixes a vulnerability with Synapse's URL preview feature. URL
previews of some web pages can lead to unbounded recursion, causing the request
to either fail, or in some cases crash the running Synapse process.
Homeservers with the url_preview_enabled configuration option set to false
(the default value) are unaffected. Instances with the enable_media_repo
configuration option set to false are also unaffected, as this also disables
the URL preview functionality.
Server administrators who are unable to update Synapse should disable URL
previews by setting url_preview_enabled: false in their configuration file.
They can also delegate URL preview to a separate, dedicated worker to ensure the
process crashing does not impact other functionality of Synapse.
Please see this security
advisory
for more information.
We've released updates to matrix-appservice-irc and our forked node-irc that it depends on to patch a High security vulnerability.
It's advised to update to 0.34.0 as soon as possible.
The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands
by having them reply to a maliciously crafted message.
Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim
rather than as a message to the channel.
If you are currently a matrix-appservice-irc user, exercise caution when replying to messages from untrusted participants
in IRC bridged rooms until your bridge instance has been upgraded.
The vulnerability has been patched in node-irc version 1.2.1 and matrix-appservice-irc 0.34.0.
You can get the release on Github.
The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.
The vulnerabilities are tracked as GHSA-37hr-348p-rmf4 and
GHSA-52rh-5rpj-c3w6.
Thank you, Val Lorentz for reporting this vulnerability.
Element Desktop 1.9.6 and earlier depend on a vulnerable version of Electron, leading to a High severity vulnerability in Element Desktop, relating to its functionality for opening downloaded files. If successfully exploited, the vulnerability allows an attacker to open an arbitrary file path on the user's machine using the platform's standard mechanisms, but without the ability to pass additional arguments or data to the program being executed.
However in certain platform configurations, the same vulnerability could allow an attacker to open an arbitrary URL with an arbitrary scheme instead of a file path, again using the platform's standard mechanisms. There has been research demonstrating that the ability to open arbitrary URLs can sometimes lead to arbitrary code execution.
The attack requires user interaction and the exploit is complex. To the best of our knowledge, the vulnerability has never been exploited in the wild.
Patched in 1.9.7 with further hardening done in 1.9.9 to ensure it's harder to exploit even in light of new Electron vulnerabilities. Please upgrade to 1.9.9 as soon as possible. The vulnerability has been assigned CVE-2022-23597.
Discovered and reported by Sirius and TheGrandPew.
There is currently a lot of buzz and uncertainty around a number of vulnerabilities discovered in the log4j library in the Java ecosystem. These vulnerabilities are collectively known as "Log4Shell" and currently encompass CVE-2021-44228 and CVE-2021-45046.
First and foremost, there are to our knowledge no Matrix homeservers written in Java. Synapse, the canonical implementation developed by the Matrix Foundation and the implementation that is backing matrix.org, is written in Python and thus unaffected. P2P Matrix relies on Dendrite, our next-gen homeserver which is written in Go and is unaffected. Conduit, a community homeserver, is written in Rust and also unaffected. Supporting components like Sygnal and Sydent are written in Python and unaffected.
There are two components that are commonly used in the Matrix ecosystem that do rely on Java. These are Jitsi, specifically the Jitsi Videobridge for VoIP, and signald used by the Signal bridge. Both components pull in log4j as part of their (transitive) dependencies. We're not aware of other bridges that are dependent on Java-based components.
For both of these projects updates have been published that integrate log4j 2.15.0 covering the initial CVE and we're currently waiting for additional updates to be published that integrate log4j 2.16.0 to cover the second. In the meantime, we've put all mitigations we are aware of in place on our systems and we strongly recommend everyone do the same.
For what mitigations to put in place, we recommend following the recommendations provided by LunaSec. They also provide a lot of background information on the vulnerabilities and how to audit for them.
Please keep an eye out for releases from the Jitsi and signald projects and follow their upgrade instructions to update your own deployments as soon as possible.
