Headline
CVE-2022-36006: Arvados 2.4.2 Release Notes
Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based “Workbench 1” app (“apt-get remove arvados-workbench”) from your installation as a workaround.
August 9, 2022
The Arvados team is pleased to announce Arvados 2.4.2.
This release includes a critical security update to address vulnerability GHSL-2022-063, described below. We strongly recommend that all installations of Arvados, especially those accessible via the public Internet, upgrade to 2.4.2 as soon as possible. See Upgrading Arvados for upgrade instructions.
In addition, this release includes several performance improvements, usability improvements, and bug fixes.
Security updates****GHSL-2022-063
GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
This vulnerability is fixed in 2.4.2 (#19316)
It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.
CVE-2022-31163 and CVE-2022-32224
As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.
New Features
#18984
The “Type” column filters in the Workbench 2 Projects view are now expanded by default, and intermediate workflow steps are now hidden by default.
#18203
In Workbench 2, after adding a metadata element to a Project or Collection, the “key” is not cleared and focus remains on the “value” field, making it easier to enter multiple values for the same key.
#19177
There is now a configuration option for admins to disable the user interface for the “sharing link” feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.
#18975
Workflow logs on Workbench 2 now show “Main logs” by default, which is a combination of the crunch-run, stdout and stderr logs. Following scrolling has also been improved.
#16070
Workbench 2 now features a new panel showing the command line used to invoke a workflow or workflow step.
#19231
Workbench 2 now has options for smaller page sizes (10 and 20 items) to speed up loading project contents.
#19282 #19220
Added new method to the Java SDK to upload files via Keep Web API. The Java SDK uses config parameter to fetch api token in KeepClient.
Bug Fixes
#19192
Fixed an internal, silent failure in keep-web that would prevent use of the manifest cache after keep-web was running for a while, resulting in poor performance accessing files in Keep via HTTP, WebDAV and S3 APIs until the service was restarted. keep-web now correctly uses the cache and maintains consistent performance.
#19153
In the Workbench 2 collection file browser, following the URL resulting from “Copy to clipboard” will now open the file content in the browser, instead of forcing a file download.
#19297
Workbench 2 advanced search by metadata property now works as intended, instead of returning an error.
#19305
When using the “breadcrumbs bar” to edit Project properties, the existing metadata properties are now loaded correctly.
#19296
Fixed Python SDK bug in Collection.remove where the recursive flag was not propagated, preventing removal of more than one level of directories. Recursively removing deep directory trees in Collections now works as intended.
#18965
When navigating to destination on Workbench 2 but not logged in, the user is redirected to a login page, and after logging in, now correctly navigated back to the page they intended to visit.
#19142
Workbench 2 “All processes” and “Subprocesses” panels now load faster by limiting which fields of the container record are requested.
#19321
When launching a workflow on Workbench 1, workflow inputs with “enum” type are now displayed and set correctly.
#19280
When submitting very large workflows with arvados-cwl-runner, particularly those defined entirely in a single file, the time spent in initialization (before the first workflow step is submitted) has been greatly reduced.
Related news
Gentoo Linux Security Advisory 202408-24 - A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data. Versions greater than or equal to 6.1.6.1:6.1 are affected.
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-1151-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
Updated Satellite 6.11 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32224: An insecure deserialization flaw was found in Active Record, which uses YAML.unsafe_load to convert the YAML data into Ruby objects. An attacker supplying crafted data to the database can perform remote code execution (RCE), resulting in complete system compromise.
Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
Updated Satellite 6.12 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32224: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record * CVE-2022-42889: apache-commons-text: variable interpolation RCE
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30122: rubygem-rack: crafted multipart POST request may cause a DoS * CVE-2022-31163: rubygem-tzinfo: arbitrary code execution
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the ...
### Impact #### Affected versions - 0.3.60 and earlier. - 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data). #### Vulnerability With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. For example, with version 1.2.9, you can run the following to load a file with path `/tmp/payload.rb`: ```ruby TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload") ``` The exact number of parent directory traversals needed will vary depending on the location of t...
When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.