Themes in this article
What are DRACOON security updates?
Security updates are updated versions of DRACOON components for which a security-relevant error has been identified or reported.
A security-relevant error is a vulnerability in the software that can be exploited under certain conditions to gain unauthorized access to data worth protecting.
Since mid-July 2020, vulnerabilities are rated in DRACOON according to severity. For this purpose, CVSS scores (Common Vulnerability Scoring System) will be used, which enables a comparison between different vulnerabilities based on certain factors (metrics).
The higher the value, the more severe the vulnerabilities are rated.
DRACOON also publishes security bulletins to inform about known vulnerabilities in used components.
How do I receive DRACOON security updates?
As an existing DRACOON cloud customer, you will receive security-relevant updates immediately as soon as they are available and have been tested accordingly.
As an existing customer of DRACOON Server with a DRACOON-managed environment (full managed service), you will receive an announcement with a date on which DRACOON will install the update.
As an existing customer of DRACOON Server with a self-managed environment, you will be informed about an available security-related update—but you are responsible for the installation or the update of the affected component yourself. If support is needed, our operations team will assist with the installation.
For clients (DRACOON for Windows/Mac, DRACOON for Outlook, DRACOON for iOS, and DRACOON for Android) downloads of the latest versions are provided via the following DRACOON page:
For the mobile apps (DRACOON for iOS and Android), updates are distributed and rolled out via the respective stores (App Store, Google Play Store).
If a security-relevant update is available for the desktop applications (DRACOON for Windows/Mac or DRACOON for Outlook), we will inform all existing customers.
DRACOON security updates
| DRACOON Product | Description | Release Version | Release Date | CVSS Score | Rating |
|---|---|---|---|---|---|
| DRACOON Cloud | Auditors can view the access data (access key and secret key) for the S3 object storage (if configured) in the audit log. The access data is not publicly visible. | DRACOON Core Service 4.35 | 17.02.2022 | ||
| DRACOON Cloud | Users logged into DRACOON can be redirected to any other potentially malicious website via the redirect_url parameter in the /oauth/logout API endpoint, such as https://example.dracoon.com/oauth/logout?redirect_url=google.com | DRACOON OAuth Service 4.24 | 17.02.2022 | 8.8 |
High
|
| DRACOON Cloud | Auditors can view the AES key of users, which is used in the DRACOON Web App to locally decrypt the decryption password of the respective user, in the audit log. This vulnerability cannot be used to decrypt encrypted files. | DRACOON Core Service 4.33.4 | 19.01.2022 | 4.1 |
Low
|
| DRACOON Cloud | DRACOON for Outlook for DRACOON cloud customers contains versions of the libraries Apache Log4net and RestSharp that have security vulnerabilities. Exploits were only theoretically possible and unlikely. | DRACOON for Outlook 6.9.1 | 17.12.2021 | 7.8 |
Medium
|
| DRACOON Server | DRACOON for Outlook for DRACOON Server customers contains versions of the libraries Apache Log4net and RestSharp that have security vulnerabilities. Exploits were only theoretically possible and unlikely. | DRACOON for Outlook 5.12.4 | 17.12.2021 | 7.8 |
Medium
|
| DRACOON Cloud | Auditors can trace the AES key used by DRACOON Web App to encrypt users' personal decryption passwords in the audit log. This vulnerability cannot be used to decrypt encrypted files. | DRACOON Core 4.33.4 | 08.12.2021 | 4.1 |
Low
|
| DRACOON Server | The secret key for connected S3 storage was stored unencrypted in the internal DRACOON database. No external access to the database was possible. | DRACOON Core 4.26.6 | 06.12.2021 | 5.6 |
Medium
|
| DRACOON Cloud | The secret key for connected S3 storage was stored unencrypted in the internal DRACOON database. No external access to the database was possible. | DRACOON Core 4.33.0 | 10.11.2021 | 5.6 |
Medium
|
| DRACOON Cloud | A Reflected XSS vulnerability allowed JavaScript code execution on the error page of the web app under certain conditions when using Firefox. | DRACOON Web App 5.11.0 | 10.03.2021 | 8.1 |
High
|
| DRACOON Cloud | The distribution of file keys in encrypted data rooms was severely limited under certain conditions. | DRACOON Core Service 4.23.5 | 27.01.2021 | 4.4 |
Low
|
| DRACOON Cloud, DRACOON Server (2019-1) | A bug in the iOS app caused that even after logging out of a DRACOON environment previously saved favorites were still visible under "Files" in iOS. | 22.10.2020 | 2.2 |
Low
|
|
| DRACOON Cloud, DRACOON Server (2019-1) | The developer version of the Android app ran an outdated third-party software package that had a vulnerability. | DRACOON for Android 5.6.1 | 24.07.2020 | 3.3 |
Low
|
| DRACOON Cloud, DRACOON Server (2019-1) | A bug in the Android app meant that the set lock code was not requested when unlocking the screen. | DRACOON for Android 5.6.1 | 24.07.2020 | 6.1 |
Medium
|
| DRACOON Server (2019-1) | A Reflected-XSS vulnerability on the OAuth login page allowed JavaScript code execution via an input in the user field. | DRACOON OAuth Service 4.12.4 | 17.07.2020 | 6.8 |
Medium
|
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Media Server 1.4.2 | 13.07.2020 | Not rated | Not rated |
| DRACOON Server (2019-1) | A Reflected XSS vulnerability in the use of a specific address used to display errors allowed JavaScript code execution. | DRACOON WebUI 4.12.2 | 29.05.2020 | Not rated | Not rated |
| DRACOON Cloud | In rare circumstances, a user of one webhook received information about another, unrelated webhook. | DRACOON Event Web Hook Dispatcher 1.0.2 | 07.05.2020 | Not rated | Not rated |
| DRACOON Cloud | Users received notifications in rare circumstances about the use of a share they had not created. | DRACOON Event Email Dispatcher 1.0.1 | 02.04.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | 27.03.2020 | Not rated | Not rated | |
| DRACOON Cloud | Notifications on data rooms about new files were removed in rare cases without user interaction. | DRACOON Core Service 4.20.3 | 23.04.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON BrandingUI 1.2.1-LTS | 02.04.2020 | Not rated | Not rated |
| DRACOON Cloud | The media token was submitted in webhook responses for the "file.created" event. | DRACOON Core Service 4.20.0 DRACOON Core Service 4.20.0 | 30.03.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON OAuth Service 4.12.2 DRACOON OAuth Service 4.16.1 | 24.03.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Core Service 4.12.6 DRACOON Core Service 4.19.0 | 10.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON BrandingUI 1.4.2 | 10.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Branding Service 1.3.1 | 05.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Web App 5.3.0 | 05.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON S3 CMUR Worker 1.3.0 | 05.03.2020 | Not rated | Not rated |
Comments
0 comments
Please sign in to leave a comment.