{"id":77908,"date":"2023-12-01T17:34:12","date_gmt":"2023-12-01T17:34:12","guid":{"rendered":"https:\/\/owncloud.com\/?p=77908"},"modified":"2023-12-04T10:34:43","modified_gmt":"2023-12-04T10:34:43","slug":"immediate-action-required-critical-security-updates-for-owncloud","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/immediate-action-required-critical-security-updates-for-owncloud\/","title":{"rendered":"Immediate Action Required: Critical Security Updates for ownCloud"},"content":{"rendered":"<p><span data-contrast=\"auto\">You may have read or heard that ownCloud server instances may be affected by several high-priority vulnerabilities. <\/span><span data-ccp-props=\"{}\">O<\/span><span data-contrast=\"auto\">n September 19, we notified all users with the <\/span><a href=\"https:\/\/central.owncloud.org\/t\/owncloud-server-10-13-1-released-critical-security-fixes-included\/45223\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">release announcement for ownCloud server 10.13.1<\/span><\/a><span data-contrast=\"auto\"> about this critical update.\u00a0<\/span><span data-ccp-props=\"{}\"><br \/>\n<\/span><span data-contrast=\"auto\">If you followed the instruction in our previous communication, we thank you very much and you should be on the safe side. However, we recommend that you double check to ensure you applied all recommended measures (below).<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Vulnerabilities:<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-49103\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">CVE-2023-49103<\/span><\/a><span data-contrast=\"auto\"> Affects the GraphAPI<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-49104\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">CVE-2023-49104<\/span><\/a><span data-contrast=\"auto\"> Allows crafted redirect URLs that bypass validation<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-49105\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">CVE-2023-49105<\/span><\/a><span data-contrast=\"auto\"> Permits unauthorized file access, modification, or deletion<\/span><span data-ccp-props=\"{&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><b><span data-contrast=\"auto\">Affected Products:<\/span><\/b><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">All <\/span><b><span data-contrast=\"auto\">ownCloud Server<\/span><\/b><span data-contrast=\"auto\"> instances <\/span><b><span data-contrast=\"auto\">below <\/span><\/b><b><span data-contrast=\"auto\">version 10.13.3<\/span><\/b><span data-contrast=\"auto\"> are affected. Please check your current version to determine if an update is necessary.\u00a0<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\"><br \/>\n<\/span><span data-contrast=\"auto\">If you run at least ownCloud 10.13.1 and don\u2019t use external storage you should also upgrade, but you aren\u2019t subject to a security vulnerability.\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\"><br \/>\n<\/span><span data-contrast=\"auto\">If you run <\/span><b><span data-contrast=\"auto\">ownCloud Infinite Scale<\/span><\/b><span data-contrast=\"auto\"> or any of our <\/span><b><span data-contrast=\"auto\">managed services<\/span><\/b><span data-contrast=\"auto\"> including <\/span><b><span data-contrast=\"auto\">ownCloud.Online<\/span><\/b><span data-contrast=\"auto\"> you are <\/span><b><span data-contrast=\"auto\">NOT<\/span><\/b><span data-contrast=\"auto\"> affected.\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Immediate Actions:<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"12\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\">Update Immediately if you run any of the \u201cAffected Products\u201d listed above.<\/li>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"12\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">App-Specific Updates: For GraphAPI (CVE-2023-49103) and OAuth2 (CVE-2023-49104), please update the apps via the provided marketplace links and remove the \u201cGetPhpInfo.php\u201d file.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"12\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Patch for Pre-Signed URL Issue: The WebDAV API Authentication Bypass (CVE-2023-49105) requires an upgrade to 10.13.3 or a specific patch available from our support team.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><b><span data-contrast=\"auto\">Links for Action:<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Instructions for ownCloud Server Updates: <\/span><a href=\"https:\/\/doc.owncloud.com\/server\/next\/admin_manual\/maintenance\/upgrading\/upgrade.html\"><span data-contrast=\"none\">https:\/\/doc.owncloud.com\/server\/next\/admin_manual\/maintenance\/upgrading\/upgrade.html<\/span><\/a><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Download server packages:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">Downloads are available at <\/span><a href=\"http:\/\/www.owncloud.com\/download\"><span data-contrast=\"none\">www.owncloud.com\/download<\/span><\/a><span data-contrast=\"auto\"> . For our subscription customers at <\/span><a href=\"https:\/\/portal.owncloud.com\/\"><span data-contrast=\"none\">portal.owncloud.com<\/span><\/a><span data-contrast=\"auto\"> .<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">For App Specific Updates:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"2\"><i><span data-contrast=\"auto\">For Graph API: v0.3.1: <\/span><\/i><a href=\"https:\/\/marketplace.owncloud.com\/apps\/graphapi\"><span data-contrast=\"none\">https:\/\/marketplace.owncloud.com\/apps\/graphapi<\/span><\/a><span data-contrast=\"auto\"> (NOTE: In addition to the update please make sure to delete <\/span><i><span data-contrast=\"auto\">owncloud\/apps\/graphapi\/vendor\/microsoft\/microsoft-graph\/tests\/GetPhpInfo.php.)\u00a0<\/span><\/i><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"2\"><i><span data-contrast=\"auto\">For OAuth2: v0.6.1: <\/span><\/i><a href=\"https:\/\/marketplace.owncloud.com\/apps\/oauth2\"><span data-contrast=\"none\">https:\/\/marketplace.owncloud.com\/apps\/oauth2<\/span><\/a><span data-ccp-props=\"{&quot;469777462&quot;:[720],&quot;469777927&quot;:[0],&quot;469777928&quot;:[1]}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf02d\" data-font=\"Symbol\" data-listid=\"11\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf02d&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Our dedicated support team is ready to assist our subscription customers. Please contact them at <\/span><a href=\"https:\/\/owncloud.com\/support\/\"><span data-contrast=\"none\">https:\/\/owncloud.com\/support\/<\/span><\/a><span data-contrast=\"auto\">\u202f for any help.\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><b><span data-contrast=\"auto\">For more information<\/span><\/b><span data-contrast=\"auto\"> please also look at our <\/span><a href=\"https:\/\/owncloud.com\/security\/\"><span data-contrast=\"none\">FAQ<\/span><\/a><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">In general, we recommend to upgrade always to the latest version which currently is 10.13.3. More information <\/span><\/b><a href=\"https:\/\/central.owncloud.org\/t\/owncloud-server-10-13-3-released\/45976\" target=\"_blank\" rel=\"noopener\"><b><span data-contrast=\"none\">here<\/span><\/b><\/a><b><span data-contrast=\"auto\">.<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><span data-contrast=\"auto\">We sincerely apologize for any inconvenience this may cause. The safety and security of your data are of paramount importance to us, and we are committed to ensuring the highest standards are maintained. Please do not hesitate to reach out for support during this critical update period.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Immediate Action Required: Critical Security Updates for ownCloud &#8211; CVE-2023-49103 &#8211; CVE-2023-49104 &#8211; CVE-2023-49105 <\/p>\n","protected":false},"author":7,"featured_media":78665,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[48,360],"tags":[],"class_list":["post-77908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/77908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=77908"}],"version-history":[{"count":2,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/77908\/revisions"}],"predecessor-version":[{"id":77912,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/77908\/revisions\/77912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=77908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=77908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=77908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}