A security vulnerability CVE-2022-3969 was discovered in OpenKM, a popular open-source electronic document and record management system. This issue affects versions up to 6.3.11 and is associated with a problematic function, getFileExtension, located in FileUtils.java. The flaw leads to the insecure creation of temporary files, posing a risk of sensitive information exposure, file overwrite, or even code execution by malicious users.

In this post, we’ll analyze the vulnerability, demonstrate how it can be exploited, explore the official patch, and provide recommendations for mitigation.

The Vulnerability Explained

CVE-2022-3969 is classified as an Insecure Temporary File vulnerability. This category of bugs typically happens when a program creates or uses temporary files in a way that attackers can predict or preempt. Attackers can then potentially replace, read, or tamper with these files.

In this case, the issue was found inside the following function

// File: src/main/java/com/openkm/util/FileUtils.java
public static String getFileExtension(String fileName) {
    if (fileName == null) {
        return null;
    }
    int dotInd = fileName.lastIndexOf(".");
    if (dotInd == -1 || dotInd == fileName.length() - 1) {
        return "";
    } else {
        return fileName.substring(dotInd + 1);
    }
}

While the above method appears harmless (it simply returns a file extension), its usage contributes to how temporary files are constructed in an insecure way elsewhere in the application.

The Flawed Use Case

OpenKM, in prior versions, created temporary files with names derived directly from user-controlled input (like uploaded file names). Here's a simplified example of risky logic:

String ext = FileUtils.getFileExtension(userSuppliedFilename);
File tempFile = new File("/tmp/" + UUID.randomUUID().toString() + "." + ext);
tempFile.createNewFile();

If the extension returned by getFileExtension is not sanitized, an attacker could upload a file with a "filename" like:

invoice.pdf;rm%20-rf%20/


Depending on how file names are further handled, this could trigger unwanted command execution on poorly-secured systems, or more typically—insecure temp file creation—leading to potential file overwrite or data disclosure.

`

/tmp/4a25b9d1-a1ac-4e21-846f-91bb2aa3b15d.txt

`

3. There’s a short window where the file exists, but with improper permissions and a predictable location, allowing another process or user to replace or read it.

A more advanced attacker might use symbolic links or race conditions (TOCTOU attacks) to overwrite or access critical system files or escalate their privileges.

The Patch

The vulnerability was patched in OpenKM version 6.3.12, commit c069e4d73ab8864345c25119d8459495f45453e1. The patch does the following:

Sanitizes file extension extraction to ensure only safe values are used.

- Creates temporary files securely using Java’s Files.createTempFile method, which generates random file names securely and sets restrictive permissions.

Sample patched code

Path tmpFile = Files.createTempFile("openkm-", "." + ext);

This approach avoids predictable names, resists symlink attacks, and reduces exposure.

References

- CVE Details: CVE-2022-3969
- VDB-213548 Entry
- GitHub Patch – c069e4d73ab8864345c25119d8459495f45453e1

Upgrade OpenKM as soon as possible to version 6.3.12 or later.

- Ensure that any file handling in your applications sanitizes user input—including file names and extensions.

Conclusion

CVE-2022-3969 demonstrates how even seemingly small bugs (like improper handling of file extensions) can escalate into serious security issues such as insecure temporary file vulnerabilities. If you use OpenKM, make sure to upgrade now to avoid exposing your documents and systems to potentially devastating attacks.

Timeline

Published on: 11/13/2022 08:15:00 UTC
Last modified on: 11/17/2022 18:36:00 UTC