Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34558: Something strange happened with pre-release versions with wmagent · Issue #11188 · dmwm/WMCore

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

CVE
#sql#apache#js#git#oracle#ssl

Impact of the bug
Malicious code execution

Describe the bug
There are a release candidates of wmagent (https://pypi.org/project/wmagent/1.3.3rc2/#history)
In 1.3.3rc2 and 1.3.3rc1 there is a requirements.txt file with this content:

# All dependencies needed to run WMAgent
Cheetah==2.4.0
Markdown==3.0.1
MySQL-python==1.2.5
SQLAlchemy==1.3.3
Sphinx==1.3.5
cx-Oracle==5.2.1
dbs-client==3.7.8
decorator==3.4.2
future==0.16.0
httplib2==0.7.3
psutil==5.6.6
py==1.7.0
pyOpenSSL==18.0.0
pycurl-client==3.7.8
pycurl==7.19.3
python-cjson==1.2.1
pyzmq==17.1.2
retry==0.9.1
stomp.py==4.1.15
rucio-clients==1.19.3

These dependencies will be installed by setup.py:

...
requirements = "requirements.txt"

...
setup(name='wmagent',
      version=wmcore_version,
      maintainer='CMS DMWM Group',
      maintainer_email='[email protected]',
      package_dir={'': 'src/python/'},
      packages=list_packages(['src/python/Utils',
                              'src/python/WMCore',
                              'src/python/WMComponent',
                              'src/python/WMQuality',
                              'src/python/PSetTweaks']),
      data_files=list_static_files(),
      install_requires=parse_requirements(requirements),
      url="https://github.com/dmwm/WMCore",
      license="Apache License, Version 2.0",
      )

dbs-client does not exist in pypi yet:

python3 -m pip install dbs-client
ERROR: Could not find a version that satisfies the requirement dbs-client (from versions: none)
ERROR: No matching distribution found for dbs-client

The problem: the intruder can create malicious dbs-client package on pypi and it will be installed by our package users.

Solution:
Need to delete these potential unsafe packages from pypi.

Related news

GHSA-4vq7-8699-4xgc: WMAgent arbitrary code execution via a crafted dbs-client package

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907