Summary & Key Actions Required
Avantra has become aware of a medium-severity data disclosure issue affecting customers running Avantra server 23 up to and including 23.3.6 and 24 up to and including Avantra Server 24.0.5 where the system is running with multiple customers configured (multi-tenant). A CVE ID has been requested and this document will be updated once it is available.
This issue could disclose extra data to authorised users beyond what they are supposed to see in multi-tenant scenarios only. The vulnerability is only present when using the underlying GraphQL API (used for the mobile app and the new user interface). Calls to this API endpoint in a multi-tenant scenario (where the user is restricted to specific customer) will reveal the full list of configured monitored objects within the Avantra installation even if the connecting user was restricted to only view systems within a specific customer set.
Please note that no data manipulation is possible with this issue and data disclosure is limited to viewing a list of systems and associated customers in multi-tenant scenarios.
This issue is fixed in Avantra Server versions 24.0.6 as well as version 23.3.7.
Please see this article for more information:
Mitigation
We have completed our investigations into this issue and have released patches for customers to immediately implement.
Customers are advised to upgrade to the latest Avantra server version (note, Agents are not affected) within their code line. For Avantra 23 this is server version 23.3.7 and above and for Avantra 24, this is server version 24.0.6 and above.
For those running in a multiple-customer / multi-tenant configuration and are unable to patch their Avantra systems, preventing incoming requests to the path /xn/api/graphql within your Avantra environment will prevent end users from access the affected API endpoint (note this will also disable mobile app and new-UI usage).
Change Log
| 22nd Jan @ 15:00 CET | Avantra was made aware a potential issue via a support incident from a customer. |
| 22nd Jan @ 16:41 CET | Support agents successfully reproduced the issue and forwarded to development team. |
| 23rd Jan @ 10:00 CET | Development accepts the issue and begins analysis for root cause |
| 23rd Jan @ 15:00 CET | The issue is selected for immediate development and release and the security response team is assembled. |
| 23rd Jan @ 17:00 CET | The security response team meets to discuss software release and the customer communications plan. |
| 24th Jan @ 16:45 CET | Software is released and this notice is published. Customer communications are sent to all existing registered support customers. |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.