GX-2017-0002: Arbitrary code execution for Galaxy servers with Galaxy Interactive Environments enabled

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

GX-2017-0002: Arbitrary code execution for Galaxy servers with Galaxy Interactive Environments enabled

Nate Coraor
DESCRIPTION

A high severity security vulnerability was recently discovered in Galaxy Interactive Environments (GIEs) by the Galaxy Committers Team. Anyone with a Galaxy account can exploit this vulnerability to execute arbitrary code on the Galaxy server as the user running the Galaxy server process.

This is possible due to incorrect quoting of user-provided data passed to a shell execution context for the GIE `docker run` command.

This vulnerability has been assigned the disclosure ID GX-2017-0002.

AFFECTED VERSIONS

This vulnerability affects Galaxy version 17.05 and later that have been configured to enable Galaxy Interactive Environments.

IMPACT

The vulnerability only affects Galaxy servers on which Galaxy Interactive Environments are enabled (by setting the `interactive_environment_plugins_directory` option in galaxy.ini). Because the vulnerability can be exploited to execute arbitrary code, the impact for affected servers is severe.

Administrators of Galaxy servers where GIEs are enabled should update immediately.

Administrators of Galaxy servers where GIEs are not enabled should update their servers to ensure they are not vulnerable should they enable GIEs at a later date, however, it is not critical to do so immediately.

SOLUTION

Per our security policies[1], we have created fixes for all affected versions of Galaxy. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.

The fix switches from using shell execution to direct execution with exec(3) and therefore is not susceptible to shell escaping exploits

INSTRUCTIONS

The fixes are available on the `release_17.05`, `release_17.09`, and `dev` branches in the Galaxy GitHub repository[2]. You can simply `git pull` or use your normal update procedure to get the changes.

For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.

--nate (on behalf of the Galaxy Committers)


_______________________________________________
galaxy-announce mailing list
[hidden email]
https://lists.galaxyproject.org/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/