Headline
CVE-2022-23470: Directory traversal attack of static file serving.
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware. This issue has been patched in commit e5e6bda4f
and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.
An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the user under which Galaxy is running.
Impact
This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware.
Deployment Method
Version
Vulnerable
Galaxy Ansible Roles
*
Safe
- nginx
*
Partially vulnerable, file read is contained to lib/galaxy/webapps/base/ and its subdirectories (which include static which is already exposed intentionally, and templates which was not.)
- apache
*
Safe
run.sh + nginx
*
Safe
run.sh directly exposed
<22.01
Safe
run.sh directly exposed
>=22.01
Vulnerable
Patches
A patch can be found at:
https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1
or:
curl https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
Workarounds
You must patch with this patch to prevent this vulnerability, if you are in one of the vulnerable configurations.