This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch flask-oid-vulnerability in repository https://gitbox.apache.org/repos/asf/airflow-site.git
commit 21eb5e82b9ed8bcaef389acdaa93763c84e35cb0 Author: Jarek Potiuk <[email protected]> AuthorDate: Mon Feb 26 13:08:32 2024 +0100 Add blog post about FAB OID vulnerability --- .../content/en/blog/fab-oid-vulnerability/index.md | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md b/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md new file mode 100644 index 0000000000..9130273f20 --- /dev/null +++ b/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md @@ -0,0 +1,102 @@ +--- +title: "Vulnerability in long deprecated OpenID authentication method in Flask AppBuilder" +linkTitle: "Vulnerability in long deprecated OpenID authentication method in Flask AppBuilder" +author: "Jarek Potiuk" +github: "potiuk" +linkedin: "jarek.potiuk" +description: "Advising users who still use a long-deprecated OpenID authentication method in Flask AppBuilder to upgrade to Apache Airflow 2.8.2" +tags: [Vulnerabilities] +date: "2024-02-26" +--- + +# Vulnerability in long deprecated OpenID authentication method in Flask AppBuilder + +Recently [Islam Rzayev](https://www.linkedin.com/in/islam-rzayev) made us aware of a vulnerability in the +long deprecated OpenID authentication method in Flask AppBuilder. This vulnerability allowed a malicious user +to take over the identity of any Airflow UI user by forging a specially crafted request and implementing +their own OpenID service. While this is an old, deprecated and almost not used authentication method, we still +took the issue seriously. + +This issue ONLY affects users who have ``AUTH_OID`` set in their ``webserver_config.py`` file as +``AUTH_TYPE``. This is a very old and deprecated authentication method that is unlikely to be used by anyone. + +We would like to advise even the small number of our users that still use this +authentication method to take an immediate action and either upgrade to Apache Airflow 2.8.2 or switch to +another authentication method (or apply a workaround we provide if they cannot do either of the above +immediately). + +Important to stress, because many of the users might get confused by the name, OpenID is NOT the same as +OpenID Connect. Those are completely different protocols and while OpenID Connect (also known as OIDC) is +a modern, widely used protocol, OpenID is a legacy protocol that has been deprecated more than 10 years +ago and since then has been abandoned by almost everyone in the community, including all services in +Flask AppBuilder example services that supported it, so it is highly unlikely someone is still using it. + +Due to this highly unlikely configuration the [Flask AppBuilder CVE](https://www.cve.org/CVERecord?id=CVE-2024-25128) +is just "Moderate" not "Critical". It affects a very small (if any) number of users and it's not likely +to be a target for an attack. However, we still advise our users who still use AUTH_OID to apply remediation. + +This vulnerability is fixed in Flask Appbuilder 4.3.11 and Apache Airflow 2.8.2 uses that version of Flask +Application Builder. We advise users who still use this authentication method to either switch to another +authentication method or upgrade to Apache Airflow 2.8.2. If they cannot do either +of these solutions quickly, they should apply the workaround provided below. + +## Impact + +When Flask-AppBuilder is set to ``AUTH_TYPE`` set to ``AUTH_OID``, it allows an attacker to forge an HTTP +request that could deceive the backend into using any requested OpenID service. This vulnerability +could grant an attacker unauthorised privilege access if a custom OpenID service is deployed +by the attacker and accessible by the backend. + +This vulnerability is only exploitable when the application is using OpenID (not OpenID Connect also known +as OIDC). Currently, this protocol is regarded as legacy, with significantly reduced usage. + +## Possible remediation + +* Change your authentication method - if you are using ``AUTH_OID``, there are almost no commercial services + supporting it, it was deprecated 10 years ago and abandoned by nearly everyone in the community 4 years + ago. Your best choice is to choose a different authentication method. +* Upgrade to Apache Airflow 2.8.2 (which also upgrades to Flask-AppBuilder 4.3.11 that contains a fix) +* If upgrade is not possible, apply the workaround below + +## Workarounds + +If upgrade or changing authentication method is not possible add the following to +your ``webserver_config.py`` file to fix the issue: + +```python +import os + +from flask import flash, redirect +from flask_appbuilder.security.forms import LoginForm_oid +from flask_appbuilder.security.views import AuthOIDView +from flask_appbuilder.views import expose + +from airflow.www.security import AirflowSecurityManager + +basedir = os.path.abspath(os.path.dirname(__file__)) + +class FixedOIDView(AuthOIDView): + @expose("/login/", methods=["GET", "POST"]) + def login(self, flag=True): + form = LoginForm_oid() + if form.validate_on_submit(): + identity_url = None + for provider in self.appbuilder.sm.openid_providers: + if provider.get("url") == form.openid.data: + identity_url = form.openid.data + if identity_url is None: + flash(self.invalid_login_message, "warning") + return redirect(self.appbuilder.get_url_for_login) + return super().login(flag=flag) + +class FixedAirflowSecurityManager(AirflowSecurityManager): + authoidview = FixedOIDView + +SECURITY_MANAGER_CLASS = FixedAirflowSecurityManager +``` + +## Credits + +Big thanks to [Islam Rzayev](https://www.linkedin.com/in/islam-rzayev) for finding out and reporting the issue responsibly and to [Daniel Gaspar](https://github.com/dpgaspar) for +very close cooperation on this one and coordinating the disclosure together with the [Apache Superset](https://superset.apache.org/) +where Flask AppBuilder is also used.
