It was reported [1] that a flaw exists in graphite-web versions 0.9.5 through to 0.9.10, due to the use of the pickle module. The clustering feature of graphite-web was introduced in 0.9.5 to facilitate scaling for a graphite setup, which was achieved by passing pickled data between servers. However, upon receipt of the pickled data, no validation was done to limit the types of objects that are unpickled, which creates a condition where arbitrary code can be executed. Based on the available metasploit module [2], it does not look as though any kind of authentication or validation between servers exists either, to prevent a remote unauthenticated user from exploiting this flaw. This flaw has been fixed in 0.9.11 (git commit [3]). [1] http://ceriksen.com/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/ [2] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb [3] https://github.com/graphite-project/graphite-web/commit/c198e5836970f0970b96498fcbe6fa83d90110cf
Created graphite-web tracking bugs for this issue: Affects: fedora-all [bug 1000062] Affects: epel-6 [bug 1000064]
https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.fc18 https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.fc19 https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.el5 https://admin.fedoraproject.org/updates/graphite-web-0.9.12-1.el6
This update has been marked as stable.