Bug 2037531 (CVE-2021-23727)

Summary: CVE-2021-23727 celery: stored command injection vulnerability may allow privileges escalation
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, aurelien, bbuckingham, bcoca, bcourt, bkearney, btotty, caswilli, cmeyers, davidn, ehelms, fzatlouk, gblomqui, jcammara, jhardy, jobarker, jsherril, kaycoth, lzap, mabashia, mhulan, mrunge, myarboro, ngompa13, nmoumoul, notting, orabin, osapryki, pcreech, pingou, rchan, relrod, rpetrell, sdoran, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: celery 5.2.2 Doc Type: If docs needed, set a value
Doc Text:
A command injection vulnerability was found in the distributed task queue celery, which can lead to remote code execution. An attacker with access to backend results can reconstruct the exception class to act as a command payload which can be queried to the task to execute.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2037533, 2037532, 2037710, 2037740    
Bug Blocks: 2037535    

Description Marian Rehak 2022-01-05 20:22:48 UTC
It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

External Reference:


Comment 1 Marian Rehak 2022-01-05 20:23:10 UTC
Created python-celery tracking bugs for this issue:

Affects: epel-all [bug 2037533]
Affects: fedora-all [bug 2037532]

Comment 3 lnacshon 2022-01-06 12:04:02 UTC
to upgrade celery to version 5.2.2 or higher.

Comment 6 Tapas Jena 2022-01-06 14:52:45 UTC
The analysis is complete for Ansible Tower 3.8 and Controller as part of AAP 2.0. None of them are using the affected component i.e. celery(python-celery)[1]. Hence, marking it as "Not Affected".

[1] Please refer : https://github.com/ansible/tower/blob/release_3.8.6/requirements/requirements.txt