CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn
Severity: Major
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Brooklyn 0.9.0 and all prior versions
Description:
Apache Brooklyn's REST server is vulnerable to cross-site request forgery
(CSRF), which could permit a malicious web site to produce a link which, if
clicked whilst a user is logged in to Brooklyn, would cause the server to
execute the attacker's commands as the user. There is known to be a
proof-of-concept exploit using this vulnerability.
Solution:
Upgrade to Apache Brooklyn 0.10.0. This includes commit [1] adding opt-in
CSRF protection server-side and commit [2] where the JS client opts-in.
Temporary mitigation if you cannot upgrade to 0.10.0:
Do not visit websites with possible malicious content targeted at you in
the same browser instance logged in to Brooklyn unless you have CSRF-POST
protection installed in the browser (see [3]). Do not share a Brooklyn
server with untrusted users without an enhanced entitlements scheme. Do
not publicize the address of Brooklyn-based UIs. If a link you click on
takes you to Brooklyn unexpectedly, contact your security team immediately.
Example exploit:
Attacker puts something like this into their malicious site:
<form
action="http://<Brooklyn>/v1/applications/oadP4rZU/entities/oadP4rZU/name?name=hacked"
method="POST">
If the user clicks on this when logged in, the name of that entity will be
changed by the attacker.
Credit:
This vulnerability was discovered by Toshitsugu Yoneyama of Mitsui Bussan
Secure Directions, Inc., and reported to JPCERT/CC who reported them to the
Apache Software Foundation on his behalf.
References:
[1] https://github.com/apache/brooklyn-server/pull/430
[2] https://github.com/apache/brooklyn-ui/pull/37
[3] https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cli
ent_side_safeguards
Other references:
JPCERT/CC JVN#55489964
