This Alert is relevant to Australians who are running instances of ‘ownCloud’ file sharing. Custom implementations based off the open-source platform may also be at risk. This alert is intended to be understood by technical users.
Users are encouraged to apply any available patches and workarounds as soon as possible.
Background / What has happened?
- 'ownCloud' has released security advisories and patches for 3 critical vulnerabilities in the platform and its apps.
- CVE-2023-49103 is a max-rated critical vulnerability which exposes sensitive information, potentially including admin passwords and security keys, which could allow full authenticated access to a system.
- CVE-2023-49104 is a critical-rated vulnerability which allows an attacker to bypass domain validation, which can be used to create a connection back to a server they control.
- CVE-2023-49105 is a critical-rated vulnerability which allows an unauthenticated attacker to access, modify or delete any file if a valid username is known, and no signing key is configured (which is the default).
Affected versions / applications
- CVE-2023-49103: graphapi v0.2.0 – v0.3.0
- CVE-2023-49104: oauth2 < v0.6.1
- CVE-2023-49105: Core v10.6.0 – v10.13.1
There have been reports of exploitation attempts against CVE-2023-49103 globally.
Containerised deployments of the product are most at risk.
File Transfer and Storage systems are a popular target for Ransomware.
Mitigation / How do I stay secure?
Organisations that use an implementation of ‘ownCloud’ should follow the workarounds provided in the work arounds below:
- https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
- https://owncloud.com/security-advisories/subdomain-validation-bypass/
- https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
Assistance / Where can I go for help?
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).