rdblue opened a new issue, #16491: URL: https://github.com/apache/iceberg/issues/16491
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary The REST catalog spec tells clients to call `/v1/config`, merge the returned `defaults` and `overrides` into their final configuration, and later honor table-level `config` values from `LoadTableResult`. That is effectively remote client reconfiguration. The problem is that the spec never defines a safe allow-list for which keys a server may control. A malicious, compromised, or tenant-influenced catalog can therefore try to steer security-sensitive client behavior instead of merely returning neutral table metadata. # Affected Maven coordinates * published spec artifact: `org.apache.iceberg:iceberg-open-api` * client merge and REST transport paths in `org.apache.iceberg:iceberg-core` * downstream credential consumers including `org.apache.iceberg:iceberg-aws`, `org.apache.iceberg:iceberg-azure`, and `org.apache.iceberg:iceberg-gcp` # Attacker prerequisites * control over `/v1/config` defaults or overrides, or over table-level `config` values returned from the catalog * a client that automatically merges those values into its HTTP, auth, or FileIO configuration without an explicit allow-list # Example risky properties Examples of already-defined Iceberg properties that become dangerous when a server can set them include: * `oauth2-server-uri` to redirect token acquisition * `header.*` to inject or overwrite outbound HTTP headers * `rest.client.proxy.hostname`, `rest.client.proxy.port`, `rest.client.proxy.username`, and `rest.client.proxy.password` to force traffic through a proxy * `rest.client.tls.configurer-impl`, `file-io-impl`, `metrics-reporter-impl`, `client.factory`, and `s3.client-factory-impl` to steer reflective class loading or transport behavior # Impact * A server-controlled `oauth2-server-uri` or `header.*` value can redirect token acquisition or inject attacker-chosen headers into authenticated outbound traffic. * A server-controlled `rest.client.proxy.*` value can force catalog traffic through an attacker-observable intermediary. * A server-controlled implementation class setting such as `file-io-impl`, `metrics-reporter-impl`, `client.factory`, `s3.client-factory-impl`, or `rest.client.tls.configurer-impl` expands the blast radius from bad configuration into reflective code loading or gadget execution paths. # Proof status Source review only. The issue is visible directly in the published spec text. # Key source references * open-api/rest-catalog-open-api.yaml * org.apache.iceberg.rest.RESTSessionCatalog * org.apache.iceberg.CatalogUtil Current severity assessment [2]: Important [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
