This repository has been archived by the owner on Apr 20, 2023. It is now read-only.
Remote code execution vulnerability in DebOps API #9
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Dear DebOps folks
A remote code execution vulnerability has been found in the DebOps API 1, the
Python script which pre-computes the content served by https://api.debops.org/.
The default
yaml.loadmethod from PyYAML which is used to read Ansigenome YAML files is unsafe.As a result remote code execution was possible when the DebOps API script parsed role metadata.
Refer to the issue Make load safe_load.
This has been fixed by switching to
yaml.safe_load. [ypid_]Risk: Arbitrary code could have been executed on a server running the DebOps API by getting a malicious
meta/ansigenome.ymlfile into one of the DebOps core roles (with DebOps being the only known deployment of the DebOps API). The DebOps API automatically updates once per hour to the latest master of all DebOps core roles, as part of the update, presentmeta/ansigenome.ymlfiles are parsed and the API data is pre-computed. Potential code would run with the permissions of the debops-api user which is a restricted system user 3 who’s write access is limited to DebOps API data.Note that before changes enter DebOps core roles, they need to be reviewed by at least one DebOps Developer 2 and we are not aware of any attempts (successful or unsuccessful) to exploit this vulnerability to gain access to project infrastructure.
The only known DebOps API instance 4 has been patched before publicly disclosing this vulnerability.
This issue was reported on 2017-02-21 by Robin Schneider (DebOps Developer and author of the DebOps API). The fix is being pushed to the main repository shortly before this email is being send.
This announcement is being made according to 5.
git commit which fixes it:
The text was updated successfully, but these errors were encountered: