CVE-2021-43445 : What You Need to Know
Learn about the impact of CVE-2021-43445 on ONLYOFFICE, where attackers can authenticate with the web socket service using a default JWT signing key, and discover mitigation steps.
CVE-2021-43445 addresses an Incorrect Access Control vulnerability affecting ONLYOFFICE.
Understanding CVE-2021-43445
What is CVE-2021-43445?
The CVE-2021-43445 vulnerability involves ALL versions of ONLYOFFICE as of 2021-11-08 being impacted by an Incorrect Access Control issue. Attackers can exploit this by authenticating with the web socket service of the ONLYOFFICE document editor, which is safeguarded by JWT authentication, using a default JWT signing key.
The Impact of CVE-2021-43445
This vulnerability can allow unauthorized users to gain access to the ONLYOFFICE web socket service, potentially leading to unauthorized actions within the affected system.
Technical Details of CVE-2021-43445
Vulnerability Description
The vulnerability stems from an inaccurate implementation of access controls within ONLYOFFICE, enabling attackers to bypass authentication through the default JWT signing key.
Affected Systems and Versions
- Vendor: n/a
- Product: n/a
- Versions: All versions of ONLYOFFICE as of 2021-11-08
Exploitation Mechanism
Attackers can exploit this vulnerability by utilizing the default JWT signing key to authenticate with the web socket service, allowing unauthorized access.
Mitigation and Prevention
Immediate Steps to Take
- Disable or restrict access to the web socket service if not necessary.
- Update to the latest patched version of ONLYOFFICE.
Long-Term Security Practices
- Implement strong authentication mechanisms for web services.
- Regularly monitor and audit access logs for unusual activities.
Patching and Updates
- Apply patches and updates provided by ONLYOFFICE promptly to fix the Incorrect Access Control vulnerability.