CVE-2022-29776 – CVE-2022-29776 is a critical stack overflow vul... (How to Fix)

Q: What is the severity of CVE-2022-29776?

CVE-2022-29776 has a CVSS score of 9.8 (CRITICAL). CVE-2022-29776 is a critical stack overflow vulnerability in ONLYOFFICE Document Server and Core that allows remote code execution by sending specially crafted files. Attackers can exploit this to execute arbitrary code on affected servers. Organizations running ONLYOFFICE Document Server v6.0.0 or below or Core 6.1.0.26 or below are affected.

📋 TL;DR

CVE-2022-29776 is a critical stack overflow vulnerability in ONLYOFFICE Document Server and Core that allows remote code execution by sending specially crafted files. Attackers can exploit this to execute arbitrary code on affected servers. Organizations running ONLYOFFICE Document Server v6.0.0 or below or Core 6.1.0.26 or below are affected.

💻 Affected Systems

Products:

ONLYOFFICE Document Server
ONLYOFFICE Core

Versions: Document Server v6.0.0 and below, Core 6.1.0.26 and below

Operating Systems: All platforms running ONLYOFFICE

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability is in the file processing component, so any instance accepting document uploads is at risk.

📦 What is this software?

Core by Onlyoffice

View all CVEs affecting Core →

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to server compromise, data exfiltration, and potential deployment of additional malware or backdoors.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload restrictions, and monitoring are in place, though exploitation could still cause service disruption.

🌐 Internet-Facing: HIGH - Document servers are typically internet-facing to allow document sharing and collaboration, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit code is available, making exploitation straightforward for attackers. The vulnerability requires no authentication and can be triggered via file upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Document Server v6.0.1 and above, Core 6.1.0.27 and above

Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Stop ONLYOFFICE services. 3. Update to Document Server v6.0.1+ or Core 6.1.0.27+ using official packages. 4. Restart services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict File Uploads

all

Temporarily disable or restrict document upload functionality to prevent exploitation while patching.

# Configure web server to block uploads to /upload endpoint
# Example for nginx: location /upload { deny all; }

Network Segmentation

linux

Isolate ONLYOFFICE servers from critical network segments to limit potential lateral movement.

# Configure firewall rules to restrict server communication
# Example: iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the ONLYOFFICE server
Deploy web application firewall (WAF) rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check the installed version of ONLYOFFICE Document Server or Core. If version is Document Server ≤6.0.0 or Core ≤6.1.0.26, the system is vulnerable.

Check Version:

# For Document Server: cat /etc/onlyoffice/documentserver/version.txt
# For Docker: docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/version.txt

Verify Fix Applied:

Verify the version is updated to Document Server ≥6.0.1 or Core ≥6.1.0.27 and test document upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
Process crashes in DesktopEditor component
Large or malformed file upload attempts

Network Indicators:

Unusual outbound connections from ONLYOFFICE server
Exploit kit traffic patterns
File uploads with abnormal characteristics

SIEM Query:

source="onlyoffice.log" AND ("File.cpp" OR "stack overflow" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2022-29776

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 Release Notes,Third Party Advisory
https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967 Patch,Third Party Advisory
https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776 Exploit,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 Release Notes,Third Party Advisory
https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967 Patch,Third Party Advisory
https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29776, you might also want to check these: