Headline
CVE-2022-43706: StackStorm v3.8.0 Released
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
Dec 02, 2022
By Carlos (@nzlosh) with assistance from Ankur Singh (@rush-skills)
StackStorm v3.8.0 has been released. It comes with two critical security patches, new core features and enhancements, web ui updates, and lots of bug fixes.
CVE-2022-43706 - Web UI XSS Security Fix
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
This major issue was reported by the independent security researcher Mohamed Elgllad and fixed in v3.8.0. We’d like to thank Mohamed for his open source security contribution!
We highly recommend our users update their StackStorm systems.
CVE-2022-44009 - K/V RBAC Security Fix
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn’t check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. This is now fixed, so please update to v3.8.0 if you started using RBAC for K/V in v3.7.0.
The issue was reported by Guilherme Murad Pim, one of the StackStorm community members and we appreciate the time and effort finding and reporting issues like that.
Guilherme is also working on contributing the SSO/SAML support in the next StackStorm version, - more on that below.
Workflow engine graceful shutdown
StackStorm’s Workflow engine can now handle shutdown events more gracefully thanks to the contribution by @khushboobhatia01 from VMware.
Two new configurations has been added to st2.conf in the [workflow_engine] section to have more granular control:
- exit_still_active_check = 300
How long to wait for process (in seconds) to exit after receiving shutdown signal. - still_active_check_interval = 2
How long to wait for process (in seconds) to exit after receiving shutdown signal.
Web UI Updates
New Auto-Save Workflow, Hotkey Shortcuts, Support for the Rule Search Criteria and Security fix for XSS were contributed by @Bitovi, a StackStorm partner. Check out a dedicated overview with screenshots and videos: Web UI Updates in v3.8.0.
Outside of that, new enhancement that temporarily disable web buttons in forms after onClick to avoid accidental double-clicks was added by Parth Shandilya from @CERN in stackstorm/st2web#977 to make the Web UI experience even better!
Purging old tokens in Garbagecollector
Amanda McGuinness from @intive, a StackStorm partner, expanded the garbage collector to clean up more resources. The GC will now purge expired old tokens, which were previously excluded from the purge process and could end up consuming a large amount of space over time.
You can control the new behavior via st2.conf settings:
[garbagecollector]
# Tokens that expired over this value (days) will be automatically deleted.
# Defaults to None (disabled).
tokens_ttl = None
See the garbagecollector purge documentation for more details.
Action Output Schema changes****Breaking change!
If you have [system].validate_output_schema = True (disabled by default) in st2.conf AND you have added output_schema to any of your packs, then you must update your action metadata. Any legacy schemas, like all invalid schemas, will be used for validation; they will be silently ignored. However, for security, secret masking based on the legacy schema is still supported.
Secret masking is one of the primary purposes of output validation. But, the legacy schema format assumed that it was describing the properties of an object; that meant that only object properties could be masked, not the entire output. With v3.8.0, output_schema is much more versatile, removing this restriction on what can be masked.
In v3.8.0, output_schema must be a full jsonschema. With this change the entire output can be masked as output_schema can describe all basic types: object, list, bool, int, etc. Feel free to validate and/or mask the entire action output, or particular elements of lists, or properties of objects.
To migrate an action’s legacy output_schema to be a full jsonschema, you’ll need to add a top-level type, properties, and additionalProperties to it. See v3.8.0 migration notes for detailed instructions how to update.
Contributed by Jacob Floyd (@cognifloyd) @Copart IT.
Other significant changes
- Support to communicate with Redis using TLS encryption.
- Process patternProperties and additionalItems defined in pack schema.
- Improved nested array support in schemas.
- HTTP_PROXY/HTTPS_PROXY environment variables are checked and used by st2client.
- Date/time module switched from udatetime to ciso8601.
- Removed deprecated st2exporter code from StackStorm.
- st2chatops hubot-slack adapter updated to 4.10.0 to use the new Slack API by default.
And more than 30 other bug fixes and enhancements. Read the full v3.8.0 changelog here.
Coming up in the next release
There’s a massive amount of work ongoing by community to add SSO/SAML support to StackStorm across the platform components: stackstorm/st2#5664, stackstorm/st2web#983, stackstorm/st2-auth-backend-sso-saml2.
We’re looking for more testing and review from our community to get that major feature included in the next v3.9.0. If you’re interested, - please take a look at the PRs above, try it, and provide feedback. The work in progress documentation for the new feature is available at stackstorm/st2docs#1146 and there’s even a docker environment to test it.
We are also working on improving the developer experience and our build/test/release process with Pants, thanks to Jacob Floyd (@cognifloyd). Some Pants features we are most looking forward to include: requirements lockfiles; reliable fine grained caching of results from test, lint, format and other processes; and amazing error messages that guide contributors (both new and old) about how to resolve various dev issues. We hope this will lower the barrier to entry for new contributors, and streamline the StackStorm packaging release process.
Special Thanks
StackStorm releases are not possible without the Community of contributors and supporters, as well as release team who dedicated a lot of time to get the v3.8.0 out with assistance of TSC maintainers. We want to thank everyone: security researchers who reported issues, StackStorm partners who patched them, release managers who did the heavy-lifting with release automation, contributors for their PRs, as well as our adopters for reporting bugs, asking questions and being an active part of StackStorm open-source Community.
The v3.8.0 release was brought by the release managers Carlos with assistance of Ankur Singh @CERN.
Special thanks: @m4dcoder, Amanda McGuinness from @intive partner, Jacob Floyd, @dylan-bitovi with @Jappzy, with @WestonVincze, with @cded and Eugen from @Bitovi partner, @bharath-orchestral from @Orchestral partner, Bradley Bishop from @Encore partner, Khushboo Bhatia @VMware, @ParthS007 @CERN, Mark Mercado @DigitalOcean, @LiamRiddell, @luislobo, @S-T-A-R-L-O-R-D, @wfgydbu.
As usual, you can join the StackStorm Open Source Community in Slack, subscribe to StackStorm Twitter and LinkedIn to not miss the upcoming project news and updates!