CVE-2021-3866: XSS in stream names

This is an important security announcement for Zulip installations running the main (development) branch of the Zulip server. The main branch of Zulip Server, since a commit merged on December 4th, was vulnerable to a stored cross-site scripting vulnerability in stream names. A malicious user with permission to create or rename streams could exploit this vulnerability to execute arbitrary JavaScript in other users’ browsers.

  • Self-hosted installations running official releases are not affected, since this change did not make it into an official release.
  • Self-hosted installations that upgraded to the main branch on or after December 4 should immediately upgrade to the latest version of the main branch to get the fix. Your installation is affected if you deployed from Git, and the following produces exactly one line of output (either zero or two lines of output means the server is not vulnerable):
git -C /home/zulip/deployments/current log | grep 44f935695d452cc3fb16845a0c6af710438b153d
  • Zulip Cloud was vulnerable from December 6th through January 15th. We have completed an audit of access logs, and have verified that this vulnerability was not exploited on Zulip Cloud.

We have been assigned CVE-2021-3866 for this vulnerability; we’d like to thank Abdul Muhaimin for bringing this to our attention.

(Edit: We were originally assigned CVE-2021-3853 for this issue. However, due to an error by the third party that assigned this CVE number, that CVE number had incorrectly also been assigned to an unrelated vulnerability in a different product.)

Upgrading

Because this vulnerability was not in any released version of Zulip Server, we are not releasing a new version of Zulip to resolve it. If you upgraded to the main branch on or after December 4, you should upgrade to the latest main again using our documented techniques. If you need help, best-effort support is available on chat.zulip.org.

Reminder: upgrade your host operating system

As a reminder, we will remove support for Ubuntu 18.04 Bionic shortly. Specifically, Ubuntu 18.04 will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.

We strongly recommend upgrading the OS of any Zulip servers you manage which are running on Ubuntu 18.04, because important packages in Ubuntu 18.04 are no longer receiving security support from Ubuntu. See our OS upgrade documentation for how to correctly upgrade the host operating system for a Zulip server.

We intend to remove support for Ubuntu 18.04 from the main branch in the upcoming days. Once we have done so, you will need to first upgrade the operating system to Ubuntu 20.04 before running upgrade-zulip-from-git main.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: