7.5
CVE-2022-29169
- EPSS 1.45%
- Veröffentlicht 01.06.2022 23:15:07
- Zuletzt bearbeitet 21.11.2024 06:58:37
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginReDoS on endpoint html5client/useragent in BigBlueButton
ReDoS on endpoint html5client/useragent
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
Mögliche Gegenmaßnahme
Server: If you are not able to upgrade to a patched version, you can eliminate the attack surface by disabling NginX forwarding the requests to the handler. Add the following block to your NginX configuration.
```
location /html5client/useragent {
return 404;
}
```
For BigBlueButton 2.3 or 2.4 a good place to add this block would be in `/etc/bigbluebutton/nginx/`
For BigBlueButton 2.5 a good place to add this block would be in `/usr/share/bigbluebutton/nginx/`
Reload via `sudo systemctl reload nginx`
Test this change by navigating to `<yourserver.com>/html5client/useragent` -- if you see 404, the workaround is active.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
BigBlueButton ≫ BigBlueButton Version >= 2.2.0 < 2.3.19
BigBlueButton ≫ BigBlueButton Version >= 2.4.0 < 2.4.7
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha1
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha2
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha3
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha4
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha5
BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha6
BigBlueButton ≫ BigBlueButton Version2.5 Updatebeta1
Weitere Schwachstelleninformationen
SystemBigBlueButton
≫
Produkt
Server
Version
>= 0.0.0, < 2.3.19
Version
>= 2.4.0, < 2.4.7
Version
>= 2.5.0, < 2.5.0-beta.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.45% | 0.699 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://github.com/bigbluebutton/bigbluebutton/pull/14886
https://github.com/bigbluebutton/bigbluebutton/pull/14896
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp