Quantcast

Galaxy Security Vulnerability - Arbitrary code execution

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Galaxy Security Vulnerability - Arbitrary code execution

Nate Coraor (nate@bx.psu.edu)
*DESCRIPTION*

A security vulnerability was recently discovered by David Wyde in two Galaxy tools that are provided with and enabled by default in the Galaxy server. These vulnerabilities allow malicious actors to execute arbitrary code as the user running the Galaxy server.

The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF data by feature count", two tools which share code with each other and the more general "Filter data on any column using simple expressions" tool. The latter was fixed in a previous security disclosure but these GFF variants of the tool were missed when updating the Filter tool.

These tools use the Python `eval` and `exec` functions and do not properly sanitize input to these functions.

Additionally, an XSS vulnerability with the upload tool: An uploaded file's name was not properly sanitized, and so a specially crafted filename uploaded to the Galaxy server could be used as an XSS attack vector. This vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.

The Galaxy Committers would like to thank David for disclosing these vulnerabilities. If you discover security vulnerabilities in Galaxy, please report them to the Galaxy Committers at [hidden email].

*AFFECTED VERSIONS*

These arbitrary code execution vulnerability is present in all known releases of Galaxy using the default tool config or a tool config in which these tools are loaded. To determine if your Galaxy server is affected, check your tool_conf.xml for the following lines:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

If you are unsure, you can also check to see if the tools have loaded by searching for them in your Galaxy server logs, e.g.:

  % grep gff_filter paster.log
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_attribute, version: 0.1 into tool panel..
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_feature_count, version: 0.1 into tool panel..

*IMPACT*

This vulnerability can be exploited to execute arbitrary code as the user that runs Galaxy jobs on any system where Galaxy runs those jobs (potentially a cluster). Such code can be used to provide a remote shell to an attacker, or read/write/delete files that the Galaxy user has appropriate permissions on.

*SOLUTION*

Multiple solutions exist for the arbitrary code execution vulnerability:

1. Update your Galaxy code. A fix for the issue has been applied to stable releases of Galaxy back to version 14.10.

2. Disable the affected tools.

3. Patch the affected tools. Patches to fix the vulnerabilities (depending on the version of Galaxy that you are running) can be found below.

*INSTRUCTIONS*

1. To apply the fix, first identify your current Galaxy release version using the `git branch` command. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

The process above can also be used to update to the 16.10 release if you are on the 'master' git branch. If you are on the 'master' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git fetch origin
  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

2. To disable the tools, locate and remove the following lines from your tool_conf.xml, then restart Galaxy:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

3. To manually patch the tools, use the appropriate patch file below:

For Galaxy releases 16.01 to dev:


For Galaxy releases 15.07 to 15.10:


For Galaxy releases 14.10 to 15.05:


To apply the patch, navigate to the root of your Galaxy directory, then execute (replacing <patch_url> with the url above appropriate for your current Galaxy release):

  % wget -O filter_security.patch <patch_url>

or:

  % curl -o filter_security.patch <patch_url>

and then test applying the patch:

  % patch -p1 --dry-run < filter_security.patch
  checking file tools/filters/gff/gff_filter_by_attribute.py
  checking file tools/filters/gff/gff_filter_by_attribute.xml
  checking file tools/filters/gff/gff_filter_by_feature_count.py
  checking file tools/filters/gff/gff_filter_by_feature_count.xml

If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:

  % patch -p1 < filter_security.patch
  patching file tools/filters/gff/gff_filter_by_attribute.py
  patching file tools/filters/gff/gff_filter_by_attribute.xml
  patching file tools/filters/gff/gff_filter_by_feature_count.py
  patching file tools/filters/gff/gff_filter_by_feature_count.xml

In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.

On behalf of the Galaxy Committers,
--nate

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Galaxy Security Vulnerability - Arbitrary code execution

Lapointe, David
This site does not seem to be working for getting patches. depot.galaxyproject.org
-- 
David Lapointe Ph.D.
Sr. Bioinformatics Specialist
Research Technology (RT)
Tufts Technology Services (TTS)
16 Dearborn Road
Somerville MA 02144

Phone:  617-627-5319
Fax: 617-627-3667
http://it.tufts.edu

From: galaxy-dev <[hidden email]> on behalf of Nate Coraor <[hidden email]>
Date: Thursday, December 15, 2016 at 3:13 PM
To: "[hidden email]" <[hidden email]>
Cc: Galaxy Committers <[hidden email]>, Galaxy Dev List <[hidden email]>
Subject: [galaxy-dev] Galaxy Security Vulnerability - Arbitrary code execution

*DESCRIPTION*

A security vulnerability was recently discovered by David Wyde in two Galaxy tools that are provided with and enabled by default in the Galaxy server. These vulnerabilities allow malicious actors to execute arbitrary code as the user running the Galaxy server.

The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF data by feature count", two tools which share code with each other and the more general "Filter data on any column using simple expressions" tool. The latter was fixed in a previous security disclosure but these GFF variants of the tool were missed when updating the Filter tool.

These tools use the Python `eval` and `exec` functions and do not properly sanitize input to these functions.

Additionally, an XSS vulnerability with the upload tool: An uploaded file's name was not properly sanitized, and so a specially crafted filename uploaded to the Galaxy server could be used as an XSS attack vector. This vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.

The Galaxy Committers would like to thank David for disclosing these vulnerabilities. If you discover security vulnerabilities in Galaxy, please report them to the Galaxy Committers at [hidden email].

*AFFECTED VERSIONS*

These arbitrary code execution vulnerability is present in all known releases of Galaxy using the default tool config or a tool config in which these tools are loaded. To determine if your Galaxy server is affected, check your tool_conf.xml for the following lines:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

If you are unsure, you can also check to see if the tools have loaded by searching for them in your Galaxy server logs, e.g.:

  % grep gff_filter paster.log
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_attribute, version: 0.1 into tool panel..
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_feature_count, version: 0.1 into tool panel..

*IMPACT*

This vulnerability can be exploited to execute arbitrary code as the user that runs Galaxy jobs on any system where Galaxy runs those jobs (potentially a cluster). Such code can be used to provide a remote shell to an attacker, or read/write/delete files that the Galaxy user has appropriate permissions on.

*SOLUTION*

Multiple solutions exist for the arbitrary code execution vulnerability:

1. Update your Galaxy code. A fix for the issue has been applied to stable releases of Galaxy back to version 14.10.

2. Disable the affected tools.

3. Patch the affected tools. Patches to fix the vulnerabilities (depending on the version of Galaxy that you are running) can be found below.

*INSTRUCTIONS*

1. To apply the fix, first identify your current Galaxy release version using the `git branch` command. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

The process above can also be used to update to the 16.10 release if you are on the 'master' git branch. If you are on the 'master' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git fetch origin
  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

2. To disable the tools, locate and remove the following lines from your tool_conf.xml, then restart Galaxy:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

3. To manually patch the tools, use the appropriate patch file below:

For Galaxy releases 16.01 to dev:


For Galaxy releases 15.07 to 15.10:


For Galaxy releases 14.10 to 15.05:


To apply the patch, navigate to the root of your Galaxy directory, then execute (replacing <patch_url> with the url above appropriate for your current Galaxy release):

  % wget -O filter_security.patch <patch_url>

or:

  % curl -o filter_security.patch <patch_url>

and then test applying the patch:

  % patch -p1 --dry-run < filter_security.patch
  checking file tools/filters/gff/gff_filter_by_attribute.py
  checking file tools/filters/gff/gff_filter_by_attribute.xml
  checking file tools/filters/gff/gff_filter_by_feature_count.py
  checking file tools/filters/gff/gff_filter_by_feature_count.xml

If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:

  % patch -p1 < filter_security.patch
  patching file tools/filters/gff/gff_filter_by_attribute.py
  patching file tools/filters/gff/gff_filter_by_attribute.xml
  patching file tools/filters/gff/gff_filter_by_feature_count.py
  patching file tools/filters/gff/gff_filter_by_feature_count.xml

In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.

On behalf of the Galaxy Committers,
--nate

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Galaxy Security Vulnerability - Arbitrary code execution

Nicola Soranzo-2
Thanks David,
the issue has been already reported, see https://github.com/galaxyproject/galaxy/issues/3332 , hopefully someone from the Galaxy Team will look into this soon.

You can get the patch from GitHub in the mean time, it has been applied to all branches starting from release_14.10 .

Cheers,
Nicola

On 19/12/16 14:39, Lapointe, David wrote:
This site does not seem to be working for getting patches. depot.galaxyproject.org
-- 
David Lapointe Ph.D.
Sr. Bioinformatics Specialist
Research Technology (RT)
Tufts Technology Services (TTS)
16 Dearborn Road
Somerville MA 02144

Phone:  617-627-5319
Fax: 617-627-3667

From: galaxy-dev <[hidden email]> on behalf of Nate Coraor <[hidden email]>
Date: Thursday, December 15, 2016 at 3:13 PM
To: "[hidden email]" <[hidden email]>
Cc: Galaxy Committers <[hidden email]>, Galaxy Dev List <[hidden email]>
Subject: [galaxy-dev] Galaxy Security Vulnerability - Arbitrary code execution

*DESCRIPTION*

A security vulnerability was recently discovered by David Wyde in two Galaxy tools that are provided with and enabled by default in the Galaxy server. These vulnerabilities allow malicious actors to execute arbitrary code as the user running the Galaxy server.

The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF data by feature count", two tools which share code with each other and the more general "Filter data on any column using simple expressions" tool. The latter was fixed in a previous security disclosure but these GFF variants of the tool were missed when updating the Filter tool.

These tools use the Python `eval` and `exec` functions and do not properly sanitize input to these functions.

Additionally, an XSS vulnerability with the upload tool: An uploaded file's name was not properly sanitized, and so a specially crafted filename uploaded to the Galaxy server could be used as an XSS attack vector. This vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.

The Galaxy Committers would like to thank David for disclosing these vulnerabilities. If you discover security vulnerabilities in Galaxy, please report them to the Galaxy Committers at [hidden email].

*AFFECTED VERSIONS*

These arbitrary code execution vulnerability is present in all known releases of Galaxy using the default tool config or a tool config in which these tools are loaded. To determine if your Galaxy server is affected, check your tool_conf.xml for the following lines:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

If you are unsure, you can also check to see if the tools have loaded by searching for them in your Galaxy server logs, e.g.:

  % grep gff_filter paster.log
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_attribute, version: 0.1 into tool panel..
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_feature_count, version: 0.1 into tool panel..

*IMPACT*

This vulnerability can be exploited to execute arbitrary code as the user that runs Galaxy jobs on any system where Galaxy runs those jobs (potentially a cluster). Such code can be used to provide a remote shell to an attacker, or read/write/delete files that the Galaxy user has appropriate permissions on.

*SOLUTION*

Multiple solutions exist for the arbitrary code execution vulnerability:

1. Update your Galaxy code. A fix for the issue has been applied to stable releases of Galaxy back to version 14.10.

2. Disable the affected tools.

3. Patch the affected tools. Patches to fix the vulnerabilities (depending on the version of Galaxy that you are running) can be found below.

*INSTRUCTIONS*

1. To apply the fix, first identify your current Galaxy release version using the `git branch` command. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

The process above can also be used to update to the 16.10 release if you are on the 'master' git branch. If you are on the 'master' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git fetch origin
  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

2. To disable the tools, locate and remove the following lines from your tool_conf.xml, then restart Galaxy:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

3. To manually patch the tools, use the appropriate patch file below:

For Galaxy releases 16.01 to dev:


For Galaxy releases 15.07 to 15.10:


For Galaxy releases 14.10 to 15.05:


To apply the patch, navigate to the root of your Galaxy directory, then execute (replacing <patch_url> with the url above appropriate for your current Galaxy release):

  % wget -O filter_security.patch <patch_url>

or:

  % curl -o filter_security.patch <patch_url>

and then test applying the patch:

  % patch -p1 --dry-run < filter_security.patch
  checking file tools/filters/gff/gff_filter_by_attribute.py
  checking file tools/filters/gff/gff_filter_by_attribute.xml
  checking file tools/filters/gff/gff_filter_by_feature_count.py
  checking file tools/filters/gff/gff_filter_by_feature_count.xml

If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:

  % patch -p1 < filter_security.patch
  patching file tools/filters/gff/gff_filter_by_attribute.py
  patching file tools/filters/gff/gff_filter_by_attribute.xml
  patching file tools/filters/gff/gff_filter_by_feature_count.py
  patching file tools/filters/gff/gff_filter_by_feature_count.xml

In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.

On behalf of the Galaxy Committers,
--nate


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Galaxy Security Vulnerability - Arbitrary code execution

Daniel Blankenberg
The server is back up. Thanks for reporting this issue.

Dan

On Dec 19, 2016, at 10:02 AM, Nicola Soranzo <[hidden email]> wrote:

Thanks David,
the issue has been already reported, see https://github.com/galaxyproject/galaxy/issues/3332 , hopefully someone from the Galaxy Team will look into this soon.

You can get the patch from GitHub in the mean time, it has been applied to all branches starting from release_14.10 .

Cheers,
Nicola

On 19/12/16 14:39, Lapointe, David wrote:
This site does not seem to be working for getting patches. depot.galaxyproject.org
-- 
David Lapointe Ph.D.
Sr. Bioinformatics Specialist
Research Technology (RT)
Tufts Technology Services (TTS)
16 Dearborn Road
Somerville MA 02144

Phone:  617-627-5319
Fax: 617-627-3667

From: galaxy-dev <[hidden email][hidden email]> on behalf of Nate Coraor <[hidden email]>
Date: Thursday, December 15, 2016 at 3:13 PM
To: "[hidden email][hidden email]" <[hidden email]>
Cc: Galaxy Committers <[hidden email]>, Galaxy Dev List <[hidden email]>
Subject: [galaxy-dev] Galaxy Security Vulnerability - Arbitrary code execution

*DESCRIPTION*

A security vulnerability was recently discovered by David Wyde in two Galaxy tools that are provided with and enabled by default in the Galaxy server. These vulnerabilities allow malicious actors to execute arbitrary code as the user running the Galaxy server.

The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF data by feature count", two tools which share code with each other and the more general "Filter data on any column using simple expressions" tool. The latter was fixed in a previous security disclosure but these GFF variants of the tool were missed when updating the Filter tool.

These tools use the Python `eval` and `exec` functions and do not properly sanitize input to these functions.

Additionally, an XSS vulnerability with the upload tool: An uploaded file's name was not properly sanitized, and so a specially crafted filename uploaded to the Galaxy server could be used as an XSS attack vector. This vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.

The Galaxy Committers would like to thank David for disclosing these vulnerabilities. If you discover security vulnerabilities in Galaxy, please report them to the Galaxy Committers at [hidden email].

*AFFECTED VERSIONS*

These arbitrary code execution vulnerability is present in all known releases of Galaxy using the default tool config or a tool config in which these tools are loaded. To determine if your Galaxy server is affected, check your tool_conf.xml for the following lines:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

If you are unsure, you can also check to see if the tools have loaded by searching for them in your Galaxy server logs, e.g.:

  % grep gff_filter paster.log
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_attribute, version: 0.1 into tool panel..
  galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id: gff_filter_by_feature_count, version: 0.1 into tool panel..

*IMPACT*

This vulnerability can be exploited to execute arbitrary code as the user that runs Galaxy jobs on any system where Galaxy runs those jobs (potentially a cluster). Such code can be used to provide a remote shell to an attacker, or read/write/delete files that the Galaxy user has appropriate permissions on.

*SOLUTION*

Multiple solutions exist for the arbitrary code execution vulnerability:

1. Update your Galaxy code. A fix for the issue has been applied to stable releases of Galaxy back to version 14.10.

2. Disable the affected tools.

3. Patch the affected tools. Patches to fix the vulnerabilities (depending on the version of Galaxy that you are running) can be found below.

*INSTRUCTIONS*

1. To apply the fix, first identify your current Galaxy release version using the `git branch` command. If you are on a 'release_YY.MM' branch, you can update with:

  % git pull

The process above can also be used to update to the 16.10 release if you are on the 'master' git branch. If you are on the 'master' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:

  % git fetch origin
  % git checkout -b release_YY.MM origin/release_YY.MM
  % git pull

2. To disable the tools, locate and remove the following lines from your tool_conf.xml, then restart Galaxy:

    <tool file="filters/gff/gff_filter_by_attribute.xml" />
    <tool file="filters/gff/gff_filter_by_feature_count.xml" />

3. To manually patch the tools, use the appropriate patch file below:

For Galaxy releases 16.01 to dev:


For Galaxy releases 15.07 to 15.10:


For Galaxy releases 14.10 to 15.05:


To apply the patch, navigate to the root of your Galaxy directory, then execute (replacing <patch_url> with the url above appropriate for your current Galaxy release):

  % wget -O filter_security.patch <patch_url>

or:

  % curl -o filter_security.patch <patch_url>

and then test applying the patch:

  % patch -p1 --dry-run < filter_security.patch
  checking file tools/filters/gff/gff_filter_by_attribute.py
  checking file tools/filters/gff/gff_filter_by_attribute.xml
  checking file tools/filters/gff/gff_filter_by_feature_count.py
  checking file tools/filters/gff/gff_filter_by_feature_count.xml

If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:

  % patch -p1 < filter_security.patch
  patching file tools/filters/gff/gff_filter_by_attribute.py
  patching file tools/filters/gff/gff_filter_by_attribute.xml
  patching file tools/filters/gff/gff_filter_by_feature_count.py
  patching file tools/filters/gff/gff_filter_by_feature_count.xml

In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.

On behalf of the Galaxy Committers,
--nate


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/mailinglists/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Loading...