Critical security vulnerability in Synapse 0.12 to 0.16.1 inclusive

2016-07-08 — General — Erik Johnston

We've been made aware of a critical security issue in Synapse present in versions 0.12 through 0.16.1 inclusive which can allow users' accounts to be accessed by other unauthorized users on the same server. The issue was reported at 14:40 UTC on 2016-07-07 by Patrik Oldsberg at Ericsson (many thanks Patrik for discovering the issue and swiftly informing us). The source of the issue was identified, and a patch was created and distributed to package maintainers at roughly 16:30 UTC the same day.

We are not aware of any exploit in the wild, but it is critical for all synapse homeservers later than v0.12 to be upgraded immediately.

The github repository, as well as major 3rd party packages, have been updated with patched versions.

If an update is not available for your system you should manually apply the security patch that is included below. (This can be done by running patch -p1 sec.patch in the synapse source directory.)

The git commit SHA of the fix is: 067596d341a661e008195f7f3a6887ade7cafa32. This is included in release v0.16.1-r1.

Whilst Synapse (and Matrix) is still in beta, we nonetheless take such security issues seriously. In the coming days we will be reviewing how this vulnerability was introduced, and any steps that could have been taken to prevent the issue. We will also be auditing the remaining access control system to ensure there are no other existing issues. The full findings will be published when completed.

We apologise for the inconvenience of this emergency upgrade.

Thank you for your continued support, The Matrix Team

Various upgrade instructions:

  • If you installed via git:   git pull.
  • If you installed via pip:   pip install
  • If you installed via debian package:   apt-get update; apt-get install matrix-synapse
After upgrade you will need to restart synapse.

Links to 3rd party packages: Arch: Fedora:

The patch against v0.16.x is: sec-0.16.patchsec-0.16.patch.signed

The patch against v0.14.x is: sec-0.14.patchsec-0.14.patch.signed

Signed announcement: fulldisclosure.signed