First of all, Community Builder and our CB Add-ons are not vulnerable to following third-party libraries vulnerabilities, in default or in any reasonable configuration. Additionally, third-party CB add-ons using correctly the CB API should also not be vulnerable through these third-party libraries vulnerabilities.
The CB team is following security news and Beat is part of the Joomla Security Strike Team (JSST). Thus we are usually aware very early of new vulnerabilities potentially affecting Community Builder or our add-ons. For all vulnerabilities of third-party libraries below, we have usually been aware within hours of the issues, and could each time assess with highest priority that those vulnerabilities could not be exploited through Community Builder or any of our Add-ons.
The CB Team implements using defensive programming techniques. This means that we often have multiple levels of protections and user-inputed data filterings, handling default cases, and always escaping at the right place, so that security reviews are easy. Also, no code change is made in core CB without peer-review inside the team. As a matter of fact, with CB 2.1.1, we are celebrating the 1234th merge-requests since CB 2.0! Each of those merge requests has been peer-reviewed and security-audited before being added to CB.
Community Builder 2.1.1 includes the newest PHPMailer 5.2.22 third party emailing library and a security-improved version of Guzzle HTTP/HTTPS requests third-party library.
As both libraries have experienced security vulnerabilities and fixes lately, CB team is issuing the following security statement on those issues and their non-exploitability in Community Builder.
PHPMailer Security Advisory
CB 2.0 through 2.1.0 includes the third party library PHPMailer 5.2.8, but its vulnerabilities are not exploitable in CB with default or any reasonably possible settings.
The information given below is just for open information.
We cannot assert security of third-party add-ons and Joomla extensions. But if the CB API is properly used, those third-party library-level-vulnerabilities should not exploitable in third-party addons.
1. Exploit type: Remote Code Execution in third-party PHPMailer library
- CVE Numbers: CVE-2016-10033 and CVE-2016-10045
- Severity: Not exploitable except with very unlikely configurations
- Discussion: This vulnerability is only exploitable with the "From" address of emails, and if email sending methods other than SMTP are used. Community Builder never sends out mail with the "From" address in default configuration. Even if configured despite a warning to do so, all users' "From" email-address is being filtered by Joomla and CB. Thus CB is not vulnerable to this.
- Further action: CB 2.1.1 ships with PHPMailer 5.2.22 which solves this issue in library. We have nevertheless reviewed all instances, and hardened further all such places, so that any exotic and non-recommended configuration or use should not be vulnerable too.
2. Exploit type: Local file disclosure
- CVE Numbers: CVE-2017-5223
- Severity: Not exploitable within CB
- Discussion: CB does not send HTML-mails with user-provided HTML content. Thus CB is not vulnerable to this.
- Further action: CB 2.1.1 ships with PHPMailer 5.2.22 which solves this issue in library, as well as with additional hardenings, so that any exotic and non-recommended configuration or use should not be vulnerable too.
3. Exploit type: Arbitrary message sending
- CVE Numbers: CVE-2015-8476
- Severity: Not exploitable within CB
- Discussion: CB filters CRLF's in all email addresses and subjects. Thus CB is not vulnerable to this.
- Further action: CB 2.1.1 ships with PHPMailer 5.2.22 which solves this issue in library, as well as with additional hardenings, so that any exotic and non-recommended configuration or use should not be vulnerable too.
4. Exploit type: Remote code execution
- CVE Numbers: CVE-2008-5619
- Severity: Not exploitable within CB
- Discussion: CB does not use the html2text function with user-provided text, and does not send HTML-mails with user-provided HTML content. Thus CB is not vulnerable to this.
- Further action: CB 2.1.1 ships with PHPMailer 5.2.22 which solves this issue in library, and the html2text() function has been removed.
Guzzle Security Advisory
CB 2.0 through 2.1.0 includes the third party library PHPMailer 5.2.8, but its vulnerabilities are not exploitable in CB with default or any reasonably possible settings.
The information given below is just for open information.
We cannot assert security of third-party add-ons and Joomla extensions. But if the CB API is properly used, those third-party library-level-vulnerabilities should not exploitable in third-party addons.
1. Exploit type: HTTP request interception with the "httpoxy" HTTP_PROXY vulnerability of Apache and of PHP to which Guzzle was also vulnerable.
- CVE Numbers: Apache CVE-2016-5387 and PHP CVE-2016-5385
- Severity: Not exploitable within CB
- Discussion: CB itself does not use Guzzle in the front-end. Our CB Add-ons which use Guzzle use either https requests, and for CB Connect, protocols have additional layers of authentication on top, which makes this PHP/Guzzle vulnerability not exploitable. CBSubs does not use Guzzle, and did never support proxies, so not vulnerable. Thus CB is not vulnerable to this.
- Further action: CB 2.1.1 ships with fixed custom version of Guzzle, which solves this issue in library, so that any exotic and non-recommended configuration or use should not be vulnerable too. Additionally, all CB requests to Joomlapolis (update channel, latest version checks, RSS newsfeeds) are now made using HTTPS, with certificate check.