Security issue: Vulnerability in the ghostscript-Library until version 9.27
Identifier: CVE-2019-3835, CVE-2019-3838
Attack scenario: It is possible to execute unauthorized shell commands through a specially crafted file.
Affected: DRACOON SaaS environment
Description: On the DRACOON SaaS environment, the ghostscript library is used on the servers that convert thumbnails. By uploading a specially customized PDF file, the attacker would have been able to execute unauthorized shell commands without administrative privileges.
Mitigating factors: The strict separation of all systems reliably ensures that access to other systems and in particular to the documents stored in DRACOON is not possible. The gap cannot be exploited in client-side encrypted data rooms, as no thumbnails are generated there.
Impact on on-premises installations: Customers who run DRACOON on their own servers are not affected, because the DRACOON Media Server is not used to generate thumbnails.
Troubleshooting on 29.03.2019
The analysis of the systems did not reveal any anomalies. It can therefore be assumed that the gap was not actively exploited. Nevertheless, the systems were replaced as a precaution to rule out a possible undetected compromise. On the new systems, the vulnerability was closed by installing the security patch supplied by RedHat