ReDoS on endpoint html5client/useragent in BigBlueButton
CVE-2022-29169

7.5HIGH

Key Information:

Vendor

Bigbluebutton

Status
Bigbluebutton
Vendor
CVE Published:
1 June 2022

What is CVE-2022-29169?

BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using SmartWatch. The maintainers removed htmlclient/useragent from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

bigbluebutton >= 2.2, < 2.3.19 < 2.2, 2.3.19

bigbluebutton >= 2.4.0, < 2.4.7 < 2.4.0, 2.4.7

bigbluebutton >= 2.5-alpha-1, < 2.5.0-beta.2 < 2.5-alpha-1, 2.5.0-beta.2

References

https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_CONFIRM
https://github.com/bigbluebutton/bigbluebutton/pull/14886
x_refsource_MISC
https://github.com/bigbluebutton/bigbluebutton/pull/14896
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.