Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 01:38:03 +0000
From: Yusaku Sako <yusaku@...tonworks.com>
To: "Mateusz Olejarka   (SecuRing)" <Mateusz.Olejarka@...uring.pl>,
	"user@...ari.apache.org" <user@...ari.apache.org>, "dev@...ari.apache.org"
	<dev@...ari.apache.org>, "security@...che.org" <security@...che.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [CVE-2015-1775] Apache Ambari Server Side Request Forgery
 vulnerability

CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.5.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari exposes a proxy endpoint through “api/v1/proxy” that can be used make REST calls to arbitrary host:port that are accessible from the Ambari server host. Ability to make these calls is limited to Ambari authenticated users only. In addition, an user need to be Ambari admin user to make the REST calls using METHODs other than GET (non-admin users can only call GET). This ability to call allows malicious users to perform port scans and/or access unsecured services visible to the Ambari Server host through the proxy endpoint. In addition Ambari provides an utility to handle such proxy calls that are used by View instances hosted by Ambari

Mitigation: Ambari users should upgrade to version 2.1.0 or above. Version 2.1.0 onwards the proxy end point (api/v1/proxy) has been disabled. In addition a configurable parameter (proxy.allowed.hostports) is introduced, in config file ambari.properties, to explicitly specify a list of host/port that can be proxied to when using the utility.

Credit: This issue was discovered by  Mateusz Olejarka (SecuRing).

References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ