A number of security vulnerabilities were recently discovered by
Bartlomiej Balcerek and colleagues at the Wroclaw Centre for
Networking and Supercomputing, which have been fixed in the current
stable Galaxy release (2014.10.06). We have simultaneously created a
new stable release (2015.01.13) today which includes these fixes as
well as new features. Galaxy server administrators are STRONGLY
encouraged to update their Galaxy servers to one of these releases
immediately.
The first vulnerability identified would allow a malicious person to
execute arbitrary code on a Galaxy server. The vulnerability is due to
gaps in Galaxy's command line template parameter sanitization.
Although all form fields were sanitized for shell metacharacters, some
other parameters that might be provided to tools on the command line
(such as the input dataset name) were not. Because of this, dataset
names and other fields could be constructed to exploit this
vulnerability.
Due to the severity of this specific vulnerability, the fix for it has
been applied back to previous releases beginning with the January 13,
2013 release. The fix can be obtained by executing `hg pull && hg
update latest_<YYYY>.<MM>.<DD>`, replacing the date with the date of
the release currently in use.
In addition to the code execution exploit, a number of cross-site
scripting (XSS) vulnerabilities were identified by Bartlomiej which we
have fixed in our new and previous stable releases. We only backport
fixes for exploits that we believe allow an attacker to readily gain
access to the Galaxy server to previous stable releases - nonetheless
we consider these XSS vulnerabilities to be serious and would strongly
recommend that public servers upgrade to at least the previous stable
release, using the latest_2014.10.06 tag, to address them.
The Galaxy Team also performed an audit to locate and fix any
additional XSS vulnerabilities that might exist. Additional details on
issues found and resolved can be found in the January 13, 2015 Galaxy
Distribution News Brief at:
https://wiki.galaxyproject.org/DevNewsBriefs/2015_01_13
To get the changes, for example, if you are running release_2014.10.06
(or a subsequent commit to the stable branch of Galaxy between
release_2014.10.06 and release_2015.01.13), you can update with:
% hg pull
% hg update latest_2014.10.06
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
The Galaxy Team would like to extend special thanks to Bartlomiej
Balcerek and colleagues, who privately disclosed the arbitrary code
execution and XSS vulnerabilities, with a full report and proof of
concepts.
Credit for the arbitrary code execution fix goes to my fellow Galaxy
Team member Daniel Blankenberg. The entire team worked to resolve the
identified XSS issues and conduct the larger code audit.
On behalf of the Galaxy Team,
--nate
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
