CVE-2021-43821
📋 TL;DR
Opencast versions before 9.10 and 10.6 allow attackers with media ingestion privileges to include local file URLs in media packages, exposing sensitive files from the host system through the web interface. This vulnerability enables extraction of secrets and sensitive data from the server. Organizations using vulnerable Opencast installations for lecture capture and video management are affected.
💻 Affected Systems
- Opencast
📦 What is this software?
Opencast by Apereo
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of host machine secrets including database credentials, API keys, SSH keys, and configuration files leading to full system takeover.
Likely Case
Extraction of sensitive configuration files and credentials stored on the Opencast server, potentially enabling lateral movement or data exfiltration.
If Mitigated
Limited exposure of non-critical files if proper file system permissions and access controls are implemented.
🎯 Exploit Status
Exploitation requires authenticated access with media ingestion privileges. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Opencast 9.10, 10.6, or 11.0
Vendor Advisory: https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
Restart Required: Yes
Instructions:
1. Backup your Opencast installation and database. 2. Download and install Opencast 9.10, 10.6, or 11.0 from the official repository. 3. Follow the upgrade documentation for your specific version. 4. Restart all Opencast services. 5. Verify the fix by testing media ingestion with local file URLs.
🔧 Temporary Workarounds
Restrict Opencast File System Access
linuxImplement strict UNIX permissions or SELinux policies to limit Opencast's read access to only necessary directories.
chmod -R 750 /path/to/opencast/data
setenforce 1
semanage fcontext -a -t httpd_sys_content_t '/path/to/opencast/data(/.*)?'
restorecon -Rv /path/to/opencast/data
🧯 If You Can't Patch
- Implement strict access controls to limit who has media ingestion privileges
- Deploy network segmentation to isolate Opencast servers from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check Opencast version: if version is below 9.10 or below 10.6, the system is vulnerable.Check Version:
Check the Opencast admin interface or examine the installation directory for version files.Verify Fix Applied:
After patching, attempt to ingest media with local file URLs (e.g., file:///etc/passwd) - this should fail or be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Opencast logs
- Media ingestion requests containing file:// URLs
- Access to sensitive system files from Opencast processes
Network Indicators:
- Unusual outbound traffic from Opencast server following media ingestion
SIEM Query:
source="opencast" AND (url="file://" OR path="/etc/" OR path="/root/")🔗 References
- https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587
- https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764
- https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
- https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl
- https://github.com/opencast/opencast/blob/69952463971cf578363e3b97d8edaf334ff51253/modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/impl/IngestServiceImpl.java#L1587
- https://github.com/opencast/opencast/commit/65c46b9d3e8f045c544881059923134571897764
- https://github.com/opencast/opencast/security/advisories/GHSA-59g4-hpg3-3gcp
- https://mvnrepository.com/artifact/org.opencastproject/opencast-ingest-service-impl
