BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using SmartWatch
. The maintainers removed htmlclient/useragent
from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Bigbluebutton | Bigbluebutton | 2.2.0 (including) | 2.3.19 (excluding) |
Bigbluebutton | Bigbluebutton | 2.4.0 (including) | 2.4.7 (excluding) |
Bigbluebutton | Bigbluebutton | 2.5-alpha1 (including) | 2.5-alpha1 (including) |
Bigbluebutton | Bigbluebutton | 2.5-alpha2 (including) | 2.5-alpha2 (including) |
Bigbluebutton | Bigbluebutton | 2.5-alpha3 (including) | 2.5-alpha3 (including) |
Bigbluebutton | Bigbluebutton | 2.5-alpha4 (including) | 2.5-alpha4 (including) |
Bigbluebutton | Bigbluebutton | 2.5-alpha5 (including) | 2.5-alpha5 (including) |
Bigbluebutton | Bigbluebutton | 2.5-alpha6 (including) | 2.5-alpha6 (including) |
Bigbluebutton | Bigbluebutton | 2.5-beta1 (including) | 2.5-beta1 (including) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.