Dear Rocket.Chat users,

We are providing an important security hotfix for Rocket.Chat server outside of the regular release cycle. If you use SAML authentication, make sure to apply this hotfix as soon as possible.

Available versions: 3.9.1 / 3.8.3 / 3.7.3 / 2.4.13 / 1.3.4 / 0.74.4
CVE-2020-29594

The hotfix will only affect SAML authentication. A possible indicator for compromise could be that a custom SAML certificate was added without administrator approval, e.g.:

SAML_custom_…_cert_cert

Database administrators can check this i.a. by calling:
db.rocketchat_settings.find({ “_id”: /^SAML_Custom_.*/ }, { “_id”: 1 })

Please check our GitHub repository here for your latest version. Or receive a notification whenever a new version – including hotfixes such as this one – is available by registering your server here.

Keep Up with Rocket.Chat News

PRODUCT RELEASES, EVENTS, COMPANY UPDATES AND USE CASES
Subscribe Newsletter Envelope

    NEWSLETTER