Bug 2037531 (CVE-2021-23727)

Summary: CVE-2021-23727 celery: stored command injection vulnerability may allow privileges escalation
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, aurelien, bbuckingham, bcoca, bcourt, bkearney, caswilli, cmeyers, ehelms, fzatlouk, gblomqui, jcammara, jhardy, jobarker, jsherril, kaycoth, lzap, mabashia, mhulan, mrunge, ngompa13, nmoumoul, notting, orabin, pcreech, pingou, rchan, rpetrell, sdoran, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: celery 5.2.2 Doc Type: If docs needed, set a value
Doc Text:
A command injection vulnerability was found in the distributed task queue celery, which can lead to remote code execution. An attacker with access to backend results can reconstruct the exception class to act as a command payload which can be queried to the task to execute.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2037532, 2037533, 2037710, 2037740    
Bug Blocks: 2037535    

Description Marian Rehak 2022-01-05 20:22:48 UTC 
It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

External Reference:

https://security.snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
Comment 1 Marian Rehak 2022-01-05 20:23:10 UTC 
Created python-celery tracking bugs for this issue:

Affects: epel-all [bug 2037533]
Affects: fedora-all [bug 2037532]
Comment 3 lnacshon 2022-01-06 12:04:02 UTC 
fix:
to upgrade celery to version 5.2.2 or higher.
Comment 4 Yadnyawalk Tale 2022-01-06 13:13:04 UTC 
Upstream patch:
https://github.com/celery/celery/commit/5c3f1559df16c32fb8d82918b4497f688d42ad0a
Comment 6 Tapas Jena 2022-01-06 14:52:45 UTC 
The analysis is complete for Ansible Tower 3.8 and Controller as part of AAP 2.0. None of them are using the affected component i.e. celery(python-celery)[1]. Hence, marking it as "Not Affected".


[1] Please refer : https://github.com/ansible/tower/blob/release_3.8.6/requirements/requirements.txt