[
https://issues.apache.org/jira/browse/AMBARI-26059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
tari updated AMBARI-26059:
--------------------------
Description:
Apache Ambari version: 2.1.0-rc0 to 2.8.0-rc1 allows a malicious authenticated
user to execute arbitrary command remotely. Just like `touch /tmp/pwn` can
execute any command of the below screenshot.
!image-2024-03-02-10-47-54-706.png!
I think we should not use `sh -c` or `cmd /c` to execute shell command which
lead to command injection.
To fix this issue, that's two-step we should follow:
# Replace `sh -c` or `cmd /c` to parameterized command execution
# The above fix the way using some special char like `$..... to inject evil
command to `script` var, but it can't prevent the path traversal to execute
evil command, if any input content in `properties` contain `..` we should block
it and return failed tip to front end
I have emailed the complete reproduction steps to [~brahmareddy]. . You can
forward it to him if necessary.
was:
Apache Ambari version: 2.1.0-rc0 to 2.8.0-rc1 allows a malicious authenticated
user to execute arbitrary command remotely. Just like `touch /tmp/pwn` can
execute any command of the below screenshot.
!image-2024-03-02-10-47-54-706.png!
I think we should not use `sh -c` or `cmd /c` to execute shell command which
lead to command injection.
To fix this issue, that's two-step we should follow:
# Replace `sh -c` or `cmd /c` to parameterized command execution
# The above fix the way using some special char like `$..... to inject evil
command to `script` var, but it can't prevent the path traversal to execute
evil command, if any input content in `properties` contain `..` we should block
it and return failed tip to front end
> Imporve ambari-server ProcessBuilder security
> ---------------------------------------------
>
> Key: AMBARI-26059
> URL: https://issues.apache.org/jira/browse/AMBARI-26059
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0, 2.3.0, 2.2.2, 2.4.4, 2.5.3, 2.6.2, 2.8.0, 2.7.8
> Reporter: tari
> Priority: Critical
> Labels: security
> Attachments: image-2024-03-02-10-47-54-706.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Apache Ambari version: 2.1.0-rc0 to 2.8.0-rc1 allows a malicious
> authenticated user to execute arbitrary command remotely. Just like `touch
> /tmp/pwn` can execute any command of the below screenshot.
> !image-2024-03-02-10-47-54-706.png!
> I think we should not use `sh -c` or `cmd /c` to execute shell command which
> lead to command injection.
> To fix this issue, that's two-step we should follow:
> # Replace `sh -c` or `cmd /c` to parameterized command execution
> # The above fix the way using some special char like `$..... to inject evil
> command to `script` var, but it can't prevent the path traversal to execute
> evil command, if any input content in `properties` contain `..` we should
> block it and return failed tip to front end
> I have emailed the complete reproduction steps to [~brahmareddy]. . You can
> forward it to him if necessary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ambari.apache.org
For additional commands, e-mail: issues-h...@ambari.apache.org
