Remote Command Execution via uploaded zip package was possible by importing custom buildpack.
The Zip import feature was removed in version 0.12.6. Now you can import zip file only via SSH. This was a precautionary measure to prevent remote code injection attacks.
Summary of changes in version 0.12.6
Vendor/Product: Cloud Foundry
CVE ID: CVE-2022-0415
Date of Public Advisory: 2018-06-28
Notified Date: 2018-06-29
Fix Version: 0.12.6
What to do about this vulnerability
If you are using a custom buildpack, please remove it and update to the latest version. If you are running a vulnerable version of Elasticsearch, upgrade to 0.12.6 or later.
Installing Buildpack
The Zip import feature was removed in version 0.12.6. Now you can import zip file only via SSH. This was a precautionary measure to prevent remote code injection attacks.
Vulnerable code (buildpack-less version)
# import custom buildpack package
import zipfile, os.path
zip = open('file.zip','r')
with zip:
os.rename('./bin/httpd','./bin/httpd-backup')
with zip:
os.system("ls -al")
with zip:
os.system("touch /tmp/.sock")
zip.close()
Buildpack updates
In response to CVE-2022-0415, the Remote Command Execution vulnerability, there were a few updates to both our default and third party buildpacks.
The default buildpack now uses hardenings from os.urandom to prevent a zip file from being able to call system().
Third party buildpacks were updated as well with changes in their build process that ensured no executable or shell commands could be executed without proper authentication.
We also enabled the “Custom Buildpack” feature which allows you to use your own custom buildpacks for your project. We had been using this feature for some time and only recently removed it (in 0.12.6) since we added the Zip import feature instead and needed it for other features like Docker containers and Amazon EC2 instances.
Timeline
Published on: 03/21/2022 11:15:00 UTC
Last modified on: 03/25/2022 18:14:00 UTC