Operating System:

[WIN][UNIX/Linux]

Published:

01 September 2022

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2022.4321 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4321
    MFSA 2022-38 Security Vulnerabilities fixed in Thunderbird 102.2.1
                             1 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Thunderbird
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-36059 CVE-2022-3034 CVE-2022-3033
                   CVE-2022-3032  

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-38

Security Vulnerabilities fixed in Thunderbird 102.2.1

Announced: August 31, 2022
Impact:    high
Products:  Thunderbird
Fixed in:  Thunderbird 102.2.1

# CVE-2022-3033: Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag

Reporter: Sarah Jamie Lewis
Impact:   high

Description

If a Thunderbird user replied to a crafted HTML email containing a meta tag,
with the meta tag having the http-equiv="refresh" attribute, and the content
attribute specifying an URL, then Thunderbird started a network request to that
URL, regardless of the configuration to block remote content. In combination
with certain other HTML elements and attributes in the email, it was possible
to execute JavaScript code included in the message in the context of the
message compose document. The JavaScript code was able to perform actions
including, but probably not limited to, read and modify the contents of the
message compose document, including the quoted original message, which could
potentially contain the decrypted plaintext of encrypted data in the crafted
email. The contents could then be transmitted to the network, either to the URL
specified in the META refresh tag, or to a different URL, as the JavaScript
code could modify the URL specified in the document. This bug doesn't affect
users who have changed the default Message Body display setting to 'simple
html' or 'plain text'.

References

  o Bug 1784838

# CVE-2022-3032: Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked

Reporter: Sarah Jamie Lewis
Impact:   moderate

Description

When receiving an HTML email that contained an iframe element, which used a
srcdoc attribute to define the inner HTML document, remote objects specified in
the nested document, for example images or videos, were not blocked. Rather,
the network was accessed, the objects were loaded and displayed.

References

  o Bug 1783831

# CVE-2022-3034: An iframe element in an HTML email could trigger a network
request

Reporter: Thunderbird Team
Impact:   moderate

Description

When receiving an HTML email that specified to load an iframe element from a
remote location, a request to the remote document was sent. However,
Thunderbird didn't display the document.

References

  o Bug 1745751

# CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack

Reporter: Val Lorentz
Impact:   moderate

Description

Thunderbird users who use the Matrix chat protocol were vulnerable to a
denial-of-service attack. An adversary sharing a room with a user had the
ability to carry out an attack against affected clients, making it not show all
of a user's rooms or spaces and/or causing minor temporary corruption.

References

  o Bug 1787741

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYxA4OMkNZI30y1K9AQiuWxAAoYDaxAxeZij/C4C9SY3tLreVWe7AZTX9
W7+UouN4iCnF1/BvxmMm301nV2lqr8teKJ/KJzMlOP+3lm8YkGqcCvEbnQmmMlu9
VJH61ZlxddaMzNLxB86qHhRqKUq5eTeeMFE2oyTTTXa+7om5cCwqUfb7aXJp/fiV
8tmwd+LPu4UvFxT+i+ziwrKkHgEDC/XfZRrIri6FnRHQv/DfPgW1GLsmeDW4xT6X
+cgKQY/x34jF15U7MwWIj+48zhbenOiyb+mW4CWDEyYrcXXFcHRifxxfKjSU9Op3
OXNaW7Q9Gqj2njipQ1MQxte633he1HvrXj8Mtz0XjKdUEoQQO4tXtnoxxJpMN38g
q7JTwTI1ctW909nSzUHoMjTcGk7tjblacwLek1IH28cBphcZl8a2O9Io2nVvKRwA
kM/yHZ4pHJvIaCnbfLaAeVsF6ewsmZrI++Ry9r5vEBqWGB41JwtufhfbHv498o3G
l44SRSWVFyrDtmg7xADhqyl3ngfTsS1KxeeeYPRJVV8u3qK6X5ngeJcOhicMUiki
bYmkBM2PBQHNPuT5v37aGZdYYlBspkzyhcb/e/JAU9oYrl+oKxa6Z330O1vVFfd0
cqcFmSMU6ga7CMCVh8QRPBG5nEhb8VMlF/SsVwMyiL461/mKQFKmX+R1fA5H1MJ1
kFC2P5EmyUs=
=QzFD
-----END PGP SIGNATURE-----