CVE-2023-30187 – CVE-2023-30187 is a critical out-of-bounds memo... (How to Fix)

Q: What is the severity of CVE-2023-30187?

CVE-2023-30187 has a CVSS score of 9.8 (CRITICAL). CVE-2023-30187 is a critical out-of-bounds memory access vulnerability in ONLYOFFICE DocumentServer that allows remote attackers to execute arbitrary code via crafted JavaScript files. This affects organizations using ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2 for document collaboration and editing. The vulnerability enables remote code execution with high impact due to the CVSS score of 9.8.

📋 TL;DR

CVE-2023-30187 is a critical out-of-bounds memory access vulnerability in ONLYOFFICE DocumentServer that allows remote attackers to execute arbitrary code via crafted JavaScript files. This affects organizations using ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2 for document collaboration and editing. The vulnerability enables remote code execution with high impact due to the CVSS score of 9.8.

💻 Affected Systems

Products:

ONLYOFFICE DocumentServer

Versions: 4.0.3 through 7.3.2

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with JavaScript processing enabled are vulnerable. The vulnerability is in the document rendering component.

📦 What is this software?

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, ransomware deployment, or unauthorized access to sensitive documents.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and least privilege access are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub gist reference contains technical details that could facilitate exploitation. Attackers can trigger the vulnerability via crafted JavaScript in documents.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.3 and later

Vendor Advisory: http://onlyoffice.com

Restart Required: Yes

Instructions:

1. Backup your DocumentServer configuration and data. 2. Download ONLYOFFICE DocumentServer version 7.3.3 or later from the official website. 3. Stop the DocumentServer service. 4. Install the updated version following ONLYOFFICE installation documentation. 5. Restart the DocumentServer service. 6. Verify the update was successful.

🔧 Temporary Workarounds

Disable JavaScript Processing

all

Temporarily disable JavaScript execution in document rendering if not required for functionality.

Modify DocumentServer configuration to set 'javascript.enabled' to false

Network Segmentation

linux

Restrict access to DocumentServer to trusted networks only.

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict WAF rules to block malicious JavaScript patterns in document uploads.
Isolate the DocumentServer in a separate network segment with no internet access.

🔍 How to Verify

Check if Vulnerable:

Check the DocumentServer version via the web interface or configuration files. Versions 4.0.3 through 7.3.2 are vulnerable.

Check Version:

Check the version in the DocumentServer web interface or configuration files (e.g., /etc/onlyoffice/documentserver/local.json on Linux).

Verify Fix Applied:

Verify the installed version is 7.3.3 or later and test document processing with safe JavaScript files.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript file uploads
Document processing errors related to memory access
Unexpected process spawns from DocumentServer

Network Indicators:

Suspicious HTTP requests with crafted JavaScript payloads to document upload endpoints

SIEM Query:

source="DocumentServer" AND (event="memory_access_error" OR event="javascript_processing_failure")

📊 Metadata

CVE ID: CVE-2023-30187

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 14, 2023

Last Updated: November 21, 2024

🔗 References

http://onlyoffice.com Product
https://gist.github.com/merrychap/25eba8c4dd97c9e545edad1b8f0eadc2 Exploit,Patch,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core/blob/8ca40a44ce47a86168327a46db91253cf6bb205d/DesktopEditor/doctrenderer/ Product
https://github.com/ONLYOFFICE/core/blob/8ca40a44ce47a86168327a46db91253cf6bb205d/DesktopEditor/doctrenderer/embed/NativeControlEmbed.cpp#L110 Not Applicable
https://github.com/ONLYOFFICE/core/commit/2b6ad83b36afd9845085b536969d366d1d61150a Patch,Vendor Advisory
http://onlyoffice.com Product
https://gist.github.com/merrychap/25eba8c4dd97c9e545edad1b8f0eadc2 Exploit,Patch,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core/blob/8ca40a44ce47a86168327a46db91253cf6bb205d/DesktopEditor/doctrenderer/ Product
https://github.com/ONLYOFFICE/core/blob/8ca40a44ce47a86168327a46db91253cf6bb205d/DesktopEditor/doctrenderer/embed/NativeControlEmbed.cpp#L110 Not Applicable
https://github.com/ONLYOFFICE/core/commit/2b6ad83b36afd9845085b536969d366d1d61150a Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30187, you might also want to check these: