REDHAT-BUG-854757
First published: Wed Sep 05 2012(Updated: )
Sebastian Krahmer (krahmer) reports: swift uses pickle to store and load meta data. pickle is insecure and allows to execute arbitrary code in loads(). [...] BTW, you can read more on executing code via pickle or cPickle here: <a href="http://nadiana.com/python-pickle-insecure">http://nadiana.com/python-pickle-insecure</a> <a href="https://bugs.launchpad.net/swift/+bug/1006414">https://bugs.launchpad.net/swift/+bug/1006414</a> Additionally: == Pickle is insecure in a model where an untrusted user can provide the pickled data. In the Swift model the data is pickled by Swift itself and stored in memcache, so the attack vector would suppose direct write access by an untrusted user to memcached data ? == memcached on Swift runs on every proxy servers and shared a cache so it bind on the internal network ip. For swift we always assume that the internal network needs to be secure since Swift has been designed this way. == The commit message for the fix: Reviewed: <a href="https://review.openstack.org/9105">https://review.openstack.org/9105</a> Committed: <a href="http://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a">http://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a</a> Submitter: Jenkins Branch: master commit e1ff51c04554d51616d2845f92ab726cb0e5831a Author: Vincent Untz <vuntz> Date: Thu Jun 21 14:37:41 2012 +0200 Do not use pickle for serialization in memcache, but JSON We don't want to use pickle as it can execute arbitrary code. JSON is safer. However, note that it supports serialization for only some specific subset of object types; this should be enough for what we need, though. To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions. Part of <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=1006414">bug 1006414</a>. Change-Id: Id7d6d547b103b4f23ebf5be98b88f09ec6027ce4
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Swift3 | <=2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://nadiana.com/python-pickle-insecure
- https://bugs.launchpad.net/swift/+bug/1006414
- https://review.openstack.org/9105
- http://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1006414
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=854761
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=610156&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=610156&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=854757#c0
- http://thread.gmane.org/gmane.comp.security.oss.general/8309
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=856786
- https://rhn.redhat.com/errata/RHSA-2012-1379.html
- https://rhn.redhat.com/errata/RHSA-2013-0691.html
- https://bugzilla.redhat.com/show_bug.cgi?id=854757
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-4406
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/openstack
- canonical/openstack swift3