Bug 1000060 (CVE-2013-5093, CVE-2013-5942, CVE-2013-5943)

Summary: CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: james.juran, jonathansteffan, ratulg
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: graphite-web 0.9.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-17 22:17:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1000062, 1000064    
Bug Blocks:    

Description Vincent Danen 2013-08-22 15:10:29 UTC 
It was reported [1] that a flaw exists in graphite-web versions 0.9.5 through to 0.9.10, due to the use of the pickle module.  The clustering feature of graphite-web was introduced in 0.9.5 to facilitate scaling for a graphite setup, which was achieved by passing pickled data between servers.  However, upon receipt of the pickled data, no validation was done to limit the types of objects that are unpickled, which creates a condition where arbitrary code can be executed.  Based on the available metasploit module [2], it does not look as though any kind of authentication or validation between servers exists either, to prevent a remote unauthenticated user from exploiting this flaw.

This flaw has been fixed in 0.9.11 (git commit [3]).

[1] http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/
[2] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
[3] https://github.com/graphite-project/graphite-web/commit/c198e5836970f0970b96498fcbe6fa83d90110cf
Comment 1 Vincent Danen 2013-08-22 15:12:41 UTC 
Created graphite-web tracking bugs for this issue:

Affects: fedora-all [bug 1000062]
Affects: epel-6 [bug 1000064]
Comment 2 Jonathan Steffan 2013-09-02 21:34:18 UTC 
https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.fc18
https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.fc19
https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.el5
https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.el6
Comment 3 Jonathan Steffan 2013-09-17 22:17:36 UTC 
This update has been marked as stable.