Bug 1000060 - (CVE-2013-5093, CVE-2013-5942, CVE-2013-5943) CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution flaw due to pickle processing
CVE-2013-5093 CVE-2013-5942 CVE-2013-5943 graphite-web: remote code execution...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130820,repo...
: Security
Depends On: 1000062 1000064
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-22 11:10 EDT by Vincent Danen
Modified: 2013-09-30 03:26 EDT (History)
3 users (show)

See Also:
Fixed In Version: graphite-web 0.9.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-17 18:17:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-22 11:10:29 EDT
It was reported [1] that a flaw exists in graphite-web versions 0.9.5 through to 0.9.10, due to the use of the pickle module.  The clustering feature of graphite-web was introduced in 0.9.5 to facilitate scaling for a graphite setup, which was achieved by passing pickled data between servers.  However, upon receipt of the pickled data, no validation was done to limit the types of objects that are unpickled, which creates a condition where arbitrary code can be executed.  Based on the available metasploit module [2], it does not look as though any kind of authentication or validation between servers exists either, to prevent a remote unauthenticated user from exploiting this flaw.

This flaw has been fixed in 0.9.11 (git commit [3]).

[1] http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/
[2] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb
[3] https://github.com/graphite-project/graphite-web/commit/c198e5836970f0970b96498fcbe6fa83d90110cf
Comment 1 Vincent Danen 2013-08-22 11:12:41 EDT
Created graphite-web tracking bugs for this issue:

Affects: fedora-all [bug 1000062]
Affects: epel-6 [bug 1000064]
Comment 3 Jonathan Steffan 2013-09-17 18:17:36 EDT
This update has been marked as stable.

Note You need to log in before you can comment on or make changes to this bug.