Zulip Server 4.10 security release

We released Zulip Server 4.10 today! This is a security release, containing important security fixes, as well as important cherry-picked bug fixes, since Zulip Server 4.9.

Upgrading

We strongly recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.

Reminder: upgrade your host operating system

As a reminder, we have deprecated support for Ubuntu 18.04 Bionic, because the upstream vendor no longer provides security support for important Zulip dependencies. Specifically, Ubuntu 18.04 remains supported in this release and will be supported in the rest of the Zulip Server 4.x series, but will not be supported in the upcoming Zulip Server 5.0 release.

We recommend upgrading any Zulip servers you manage which are running on Ubuntu 18.04. See our OS upgrade documentation for how to correctly upgrade a Zulip server.

Notable changes:

  • CVE-2022-21706: Reusable invitation links could be improperly used for other organizations.
  • CVE-2021-3967: Enforce that regenerating an API key must be done with an API key, not a cookie. Thanks to nhiephon for their responsible disclosure of this vulnerability.
  • Fixed a bug with the reindex-textual-data tool, where it would sometimes fail to find the libraries it needed.
  • Pin PostgreSQL to 10.19, 11.14, 12.9, 13.5 or 14.1 to avoid a regression which caused deploys with PGroonga enabled to unpredictably fail database queries with the error variable not found in subplan target list.
  • Fix ARM64 support; however, the wal-g binary is not yet supported on ARM64.

CVE-2022-21706

An internal investigation recently uncovered a vulnerability in Zulip’s invitation links. Specifically, a reusable invitation link could be used to join a different organization than the one it was created for. As a result, there was a potential for users to join an organization without an invitation (including bypassing domain restrictions), or to incorrectly obtain elevated permissions (e.g. a moderator or admin role).

This issue only affects installations like Zulip Cloud that host multiple Zulip organizations; the vast majority of self-hosted installations only host a single Zulip organization and are not affected.

It is possible for someone with expertise on the Zulip database and logging format to determine whether this vulnerability was used to gain improper access on a system. Customers with a Zulip support contract may request such assistance by contacting us at security@zulip.com. Our investigation of Zulip Cloud logs has determined that it is unlikely that this vulnerability was actively exploited prior to this disclosure.