Last Friday WordPress published it’s 4.5.2 security release. Our security team took a look at the fixed issues to determine whether ownCloud is affected by a similar vulnerability. Users with Flash enabled on releases older than ownCloud 9 are vulnerable to specifically crafted files. Due to the severity of the issue a special security update has been released for all current ownCloud releases prior to 9. We recommend upgrading as soon as possible.
The issue
Quoting from the WordPress announcement:
Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coordinate and fix these issues.
ownCloud also uses the widely used open-source MediaElement.js for the inline display of videos. After analyzing the security patches applied in the latest MediaElement.js release we’ve decided to issue an out-of-the-band security release to our users.
What impact has this vulnerability?
In simple terms, the Flash file part of ownCloud’s MediaElement.js can be embedded in another website and there result in the compromised accounts of users from that ownCloud server. The update to ownCloud will fix the vulnerability in the Flash file to prevent this from happening and we strongly recommend to update your ownCloud to protect your users.
The vulnerability in question is a reflected Cross-Site-Scripting vulnerability
within the SWF files shipped by MediaElement.js (which is used as fallback for older browsers such as IE 8). This vulnerability allows an adversary to execute arbitrary JavaScript code in the user session. To exploit this an attacker needs the user to open a specially crafted link or make them visit a page controlled by the attacker.
Note that this is only exploitable in browsers which support Flash. If the user has configured their browser to not execute Flash files (for example using Click-To-Play in Chrome) they are not affected unless they click.
ownCloud 9.0 and newer
In our ongoing hardening work we previously removed any Flash-based fallback in the ownCloud 9.0 video player. This has been possible because support for Internet Explorer 8 has been dropped in this release. Instances running ownCloud 9.0 are thus not affected by this vulnerability.
You can get the updated packages for your ownCloud release from the Changelog page.
For your convenience, the most important files are linked below:
Download: owncloud-8.2.5.tar.bz2 or owncloud-8.2.5.zip
MD5: owncloud-8.2.5.tar.bz2.md5 or owncloud-8.2.5.zip.md5
Download: owncloud-8.1.8.tar.bz2 or owncloud-8.1.8.zip
MD5: owncloud-8.1.8.tar.bz2.md5 or owncloud-8.1.8.zip.md5
Download: owncloud-8.0.13.tar.bz2 or owncloud-8.0.13.zip
MD5: owncloud-8.0.13.tar.bz2.md5 or owncloud-8.0.13.zip.md5
Download: owncloud-7.0.15.tar.bz2 or owncloud-7.0.15.zip
MD5: owncloud-7.0.15.tar.bz2.md5 or owncloud-7.0.15.zip.md5
If you use our linux packages, it is time to do a zypper refresh; zypper upgrade
, apt-get update; apt-get upgrade
or a yum update; yum upgrade
, packages should be synced to the mirrors by now.