This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-site.git
The following commit(s) were added to refs/heads/main by this push:
new d05451c01e Add blog post about FAB OID vulnerability (#971)
d05451c01e is described below
commit d05451c01e86f3c4fd9d4da53ef3e58cd5ae349e
Author: Jarek Potiuk <[email protected]>
AuthorDate: Wed Feb 28 14:13:19 2024 +0100
Add blog post about FAB OID vulnerability (#971)
---
.../content/en/blog/fab-oid-vulnerability/index.md | 102 +++++++++++++++++++++
1 file changed, 102 insertions(+)
diff --git a/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md
b/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md
new file mode 100644
index 0000000000..9130273f20
--- /dev/null
+++ b/landing-pages/site/content/en/blog/fab-oid-vulnerability/index.md
@@ -0,0 +1,102 @@
+---
+title: "Vulnerability in long deprecated OpenID authentication method in Flask
AppBuilder"
+linkTitle: "Vulnerability in long deprecated OpenID authentication method in
Flask AppBuilder"
+author: "Jarek Potiuk"
+github: "potiuk"
+linkedin: "jarek.potiuk"
+description: "Advising users who still use a long-deprecated OpenID
authentication method in Flask AppBuilder to upgrade to Apache Airflow 2.8.2"
+tags: [Vulnerabilities]
+date: "2024-02-26"
+---
+
+# Vulnerability in long deprecated OpenID authentication method in Flask
AppBuilder
+
+Recently [Islam Rzayev](https://www.linkedin.com/in/islam-rzayev) made us
aware of a vulnerability in the
+long deprecated OpenID authentication method in Flask AppBuilder. This
vulnerability allowed a malicious user
+to take over the identity of any Airflow UI user by forging a specially
crafted request and implementing
+their own OpenID service. While this is an old, deprecated and almost not used
authentication method, we still
+took the issue seriously.
+
+This issue ONLY affects users who have ``AUTH_OID`` set in their
``webserver_config.py`` file as
+``AUTH_TYPE``. This is a very old and deprecated authentication method that is
unlikely to be used by anyone.
+
+We would like to advise even the small number of our users that still use this
+authentication method to take an immediate action and either upgrade to Apache
Airflow 2.8.2 or switch to
+another authentication method (or apply a workaround we provide if they cannot
do either of the above
+immediately).
+
+Important to stress, because many of the users might get confused by the name,
OpenID is NOT the same as
+OpenID Connect. Those are completely different protocols and while OpenID
Connect (also known as OIDC) is
+a modern, widely used protocol, OpenID is a legacy protocol that has been
deprecated more than 10 years
+ago and since then has been abandoned by almost everyone in the community,
including all services in
+Flask AppBuilder example services that supported it, so it is highly unlikely
someone is still using it.
+
+Due to this highly unlikely configuration the [Flask AppBuilder
CVE](https://www.cve.org/CVERecord?id=CVE-2024-25128)
+is just "Moderate" not "Critical". It affects a very small (if any) number of
users and it's not likely
+to be a target for an attack. However, we still advise our users who still use
AUTH_OID to apply remediation.
+
+This vulnerability is fixed in Flask Appbuilder 4.3.11 and Apache Airflow
2.8.2 uses that version of Flask
+Application Builder. We advise users who still use this authentication method
to either switch to another
+authentication method or upgrade to Apache Airflow 2.8.2. If they cannot do
either
+of these solutions quickly, they should apply the workaround provided below.
+
+## Impact
+
+When Flask-AppBuilder is set to ``AUTH_TYPE`` set to ``AUTH_OID``, it allows
an attacker to forge an HTTP
+request that could deceive the backend into using any requested OpenID
service. This vulnerability
+could grant an attacker unauthorised privilege access if a custom OpenID
service is deployed
+by the attacker and accessible by the backend.
+
+This vulnerability is only exploitable when the application is using OpenID
(not OpenID Connect also known
+as OIDC). Currently, this protocol is regarded as legacy, with significantly
reduced usage.
+
+## Possible remediation
+
+* Change your authentication method - if you are using ``AUTH_OID``, there are
almost no commercial services
+ supporting it, it was deprecated 10 years ago and abandoned by nearly
everyone in the community 4 years
+ ago. Your best choice is to choose a different authentication method.
+* Upgrade to Apache Airflow 2.8.2 (which also upgrades to Flask-AppBuilder
4.3.11 that contains a fix)
+* If upgrade is not possible, apply the workaround below
+
+## Workarounds
+
+If upgrade or changing authentication method is not possible add the following
to
+your ``webserver_config.py`` file to fix the issue:
+
+```python
+import os
+
+from flask import flash, redirect
+from flask_appbuilder.security.forms import LoginForm_oid
+from flask_appbuilder.security.views import AuthOIDView
+from flask_appbuilder.views import expose
+
+from airflow.www.security import AirflowSecurityManager
+
+basedir = os.path.abspath(os.path.dirname(__file__))
+
+class FixedOIDView(AuthOIDView):
+ @expose("/login/", methods=["GET", "POST"])
+ def login(self, flag=True):
+ form = LoginForm_oid()
+ if form.validate_on_submit():
+ identity_url = None
+ for provider in self.appbuilder.sm.openid_providers:
+ if provider.get("url") == form.openid.data:
+ identity_url = form.openid.data
+ if identity_url is None:
+ flash(self.invalid_login_message, "warning")
+ return redirect(self.appbuilder.get_url_for_login)
+ return super().login(flag=flag)
+
+class FixedAirflowSecurityManager(AirflowSecurityManager):
+ authoidview = FixedOIDView
+
+SECURITY_MANAGER_CLASS = FixedAirflowSecurityManager
+```
+
+## Credits
+
+Big thanks to [Islam Rzayev](https://www.linkedin.com/in/islam-rzayev) for
finding out and reporting the issue responsibly and to [Daniel
Gaspar](https://github.com/dpgaspar) for
+very close cooperation on this one and coordinating the disclosure together
with the [Apache Superset](https://superset.apache.org/)
+where Flask AppBuilder is also used.
