CVE-2022-31152 Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation
Matrix has published a [fix](https://github.com/matrix-org/synapse/issues/622) for this issue with version 1.62.0. Users of Matrix with federation disabled are advised to upgrade to version 1.62.0 or higher. This issue is only present in versions of Synapse up to and including 1.61.0. If a user encounters this issue, they can upgrade to version 1.62.0 or higher as a workaround. XMPP servers such as Psi and RedX that do not follow the Matrix specification are not affected by this issue.
Summary of changes in Synapse 1.62.0
This release fixes a known issue with federation that was documented in CVE-2022-31152.
XMPP servers such as Psi and RedX that do not follow the Matrix specification are not affected by this issue.
How do I know if I’m affected?
If you are using a Matrix federation, you may be affected if your XMPP servers does not follow the Matrix specification. If you are using a Matrix federation and your XMPP servers does not follow the Matrix specification, then you can upgrade to version 1.62.0 or higher as a workaround.
What is Matrix?
Matrix is an open standard for real-time communication. It's a way of connecting apps and services on the web, all in one place, with free and secure end-to-end encryption. Matrix allows you to create chat rooms, voice calls, or video meetings with people who use different messaging apps like Facebook Messenger and Google Hangouts.
Matrix is a tool for collaboration and communication. Its goal is to give users the best experience possible whether they're chatting with friends, collaborating on projects together or sharing ideas through interactive group chats.
Upgrade to Messenger version 2.0.0 or higher
Users of Matrix with federation disabled are advised to upgrade to version 2.0.0 or higher. This issue is only present in versions of Matrix before 2.0.0 and versions of Messenger up to and including 1.7.2. If a user encounters this issue, they can upgrade to version 2.0.0 or higher as a workaround for this issue and the associated CVE-2018-15840 vulnerability that was patched in previous versions of Messenger, provided that the server remains unreachable by synchronization clients due to federation being enabled on it, which is typically the case for most XMPP servers, including Psi and RedX, which follow the Matrix specification.
How do I know if my server is affected by this issue?
You can check if your server is affected by this issue by looking for the following error message in the matrix-synapse logs:
[2018-02-04T09:22:17.666Z] [error] [CloudQXC@127.0.0.1] HTTP request to proxy "http://localhost:8887/matrix/json" failed with status code 503.
The Matrix team has published a fix for an issue that affects versions of Synapse up to and including 1.61.0, where requests could fail with a 503 status code when federation is disabled. It can be disabled via the following configuration option in the config file:
"federation": false
Timeline
Published on: 09/02/2022 20:15:00 UTC
Last modified on: 09/09/2022 03:21:00 UTC