Bug 2243128 (CVE-2023-45129) - CVE-2023-45129 synapse: malicious ACL event can cause denial of service
Summary: CVE-2023-45129 synapse: malicious ACL event can cause denial of service
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-45129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2243129
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-10-10 21:13 UTC by Anten Skrabec
Modified: 2023-10-10 21:15 UTC (History)
0 users

Fixed In Version: synapse 1.94.0
Doc Type: ---
Doc Text:
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.
Clone Of:
Environment:
Last Closed: 2023-10-10 21:15:40 UTC
Embargoed:


Attachments (Terms of Use)

Description Anten Skrabec 2023-10-10 21:13:40 UTC
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version
https://github.com/matrix-org/synapse/pull/16360
https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4

Comment 1 Anten Skrabec 2023-10-10 21:13:53 UTC
Created synapse tracking bugs for this issue:

Affects: fedora-all [bug 2243129]

Comment 2 Anten Skrabec 2023-10-10 21:15:40 UTC
Red H


Note You need to log in before you can comment on or make changes to this bug.