Security vulnerability found and patched in the Cozy platform. Update your self-hosted instance!

The Cozy controller starts each application with its own Linux user. When an application was launched, the controller used the proper Uid with a gid equal to zero (root group). Therefore, the application could access files that where supposed to be read only by the root group.

Intro picture

The Cozy controller starts each application with its own Linux user. In the unpatched version, when an application was launched, the controller used the proper Uid with a gid equal to zero (root group). Therefore, the application could access files that where supposed to be read only by the root group.

Impact

If a user installs on his/her Cozy instance a malicious application, it could use this vulnerability to access files that it should not be able to access. Considering the very limited number of applications available today on the Cozy platform, we think the impact of this vulnerability is moderate.

Status

This vulnerability, found yesterday, was patched as quickly as we could and version 2.0.19, which contains the patch, has been released and is ready for deployment.

Action

Instances hosted by the Cozy team on the cozycloud.cc domain are protected as we have updated our systems. No further action is required for these instances.

Self-hosted instances, which are not managed by the Cozy Cloud team MUST be updated. To apply the update, two methods can be used:

From the Cozy home page, click on "Manage your apps" then "update platform". You're done!

Or, from the command line interface, type the following commands:

sudo supervisorctl stop cozy-controller
sudo npm -g update cozy-controller
sudo supervisorctl start cozy-controller

Questions related to this issue are welcome on the Cozy Cloud forum.