Hi there,
thanks for your post. At Nextcloud we take security very serious, which is why we follow a transparent disclosure process for security problems. Any complex piece of software has security issues, so the only real differentiation between solutions is how well they are handled. We strive to be industry leading in how we handle security.
We run a $10K security bug bounty program where we respond, on average, within 3 hours to a reported security issue. Most security issues are found and fixed by our own employees, with our bug bounty program the second source of reports. Finally, sometimes external organizations, often customers, do an audit and report issues. We greatly appreciate the input from anyone outside of Nextcloud as their reports help keep our users and customers safe.
As part of the responsible security disclosure process, we request and publish CVE’s. This is done quite some time AFTER the issues have been fixed and updates have been made available, so users who update following our recommendations should be entirely safe. The publishing is done for both transparency reasons and to allow administrators to see if their systems could have been affected by the issue.
We generally publish CVE’s every couple of months, so there is nothing special when they are published. It is just a regular reminder that all complex software has issues, administrators should update frequently and running software without updates is dangerous. This is true especially for software from vendors that do NOT regularly publish CVE’s as that often means they do not fix security issues in responsible way.
The email configurator issue is, following the strict rules of the CVE process, classified as high. Note that this reflects the severity of the result, not taking into account the actual prevalence or likelyhood users are affected by it. Users would only be affected if:
- the users email server is running on a custom Top Level Domain (so not
.com or .org but .companyname for example)
- somebody has set up, malisiously, an
autoconfigure.companyname
- the Nextcloud Mail app is set up to auto configure (not a default) but the administrator has failed to configure an auto configuration on the email server.
The result is that the attacker gains the email username and password. Depending on these (if the user is, for example, re-using passwords, as well as use of 2-factor authentication) these can be used to compromise email or other services.
So it’s classified “High”, but if you read and understand it, it’s immediately clear that majority of Nextcloud and Nextcloud users are not affected by this ever, as only very minimal amount of users run a custom .tld address for their own mail server, don’t have auto configuration enabled on their mail server, but enable the feature in the mail app.
Nevertheless we of course recommend to update the server and all app, as well as the stack below it (PHP and operating system) and configuring it safely by using 2FA where available.
