Update September 25th : Rainbow support teams informed Security and development teams of the capability of some clients to display images. That are not thumbnails. These are fallback mechanisms in case of failure during generation of thumbnails. It is the original image displayed instead. Real thumbnails are still deactivated.
Update September 22th : Rainbow security team and development teams worked the whole week on a solution that could allow reactivation of the feature. We have made very good progress but we have to make sure that no other way of exploitation exists. Also, NVD (the National Vulnerability Database) has published an official CVE scored 9.8 /10 on a CVSS 3.x score. By doing so, they have clearly established the criticality of this one. As such, Rainbow security team and developments teams will still continue testing and exploring the corrections for this feature in order to have a 100% certainty of security, stability and quality. We discovered it earlier but it still is important to study it. Feedback updates coming later next week.
Update September 15th : after identification of the non exploitation of this flaw, the Rainbow security team worked side by side with development teams and established the complete call flow of the vulnerability and came with different solutions to correct it definitely. Deactivating the feature was the mitigation, and we are confident in the re-activation of the preview feature in a near future, after complete functional and vulnerability testing, and with green light of the Rainbow security team.
Update 5:58 PM CEST : after a day of complete analysis on all the platform, the Rainbow security team can confirm that the flaw has not been exploited maliciously, meaning, no consequences on customers data or information.
Thanks to Dr. Jens Mueller who has reported the flaw, and whose information allowed the ALE security response team to quickly react, assess and evaluate the risk, the exploitations and its consequences. Our teams are still working on it and a new communication will be done tomorrow.
Potential vulnerability: file preview
This morning a security flaw has been communicated to our security experts. This flaw concerns the preview of files using the storage feature of Rainbow . After analysis and confirmation of the flaw, the Rainbow security team decides as a proactive measure to deactivate for the time being the preview feature. More information to come in the next hours before end of the day.
As an ISO27001 compliant organization, ALE International and its Rainbow solutions execute a proactive cybersecurity strategy that puts into place rigorous teams and processes who continuously assess the risk of any raised CVE, and immediately mitigate its risk whenever relevant.
Your Rainbow Security team