Page MenuHomePhabricator

2 CVE's in SuperSet
Closed, ResolvedPublicSecurity

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

There is also a separate issue which is a configuration based Remote Code Execution vulnerability in the superset.wmcloud.org instance (not the superset.wikimedia.org instance), caused by the use of a guessable secret key in the Flask superset configuration as described in this article: https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

flask-unsign --unsign --cookie < superset-wmcloud-cookie

[*] Session decodes to: {'_fresh': True, '_id': '9cb...[truncating]', ''), 'oauth_provider': 'mediawiki', 'oauth_state': '5JeER5yK7NYS9OUia1UFiCYo2uCtvc'}
[*] No wordlist selected, falling back to default wordlist..
[*] Starting brute-forcer with 8 threads..
[*] Attempted (2176): -----BEGIN PRIVATE KEY-----ECR
[+] Found secret key after 21248 attempts25zckjdhdgeA
'thisISaSECRET_1234'
Volans subscribed.

Adding Data-Platform-SRE as they own the production installation of Superset.

BTullis added subscribers: rook, BTullis.

Thanks for adding us.
For the superset.wikimedia.org instance, these CVEs are already being tracked by T335356

For the superset.wmcloud.org instance, I suspect that @rook will the person best placed to advise on our level of exposure and/or notify other people in the WMCS team to have a look at it.
I agree with the comment in T345928#9152910 that we should also change the secret key on the cloud instance as soon as possible.

So I'm going to remove Data-Platform-SRE for now as it's not our team, but subscribe to the ticket and I'll check back soon to make sure that it's being handled.

For the superset.wmcloud.org instance, I suspect that @rook will the person best placed to advise on our level of exposure and/or notify other people in the WMCS team to have a look at it.
I agree with the comment in T345928#9152910 that we should also change the secret key on the cloud instance as soon as possible.

Assuming I checked everything correctly, always worth questioning that one, the newest helm chart appears to still be on 2.1.0
superset/superset 0.10.6 2.1.0 Apache Superset is a modern, enterprise-ready b...
Should be easy to bump once they release a new helm chart.

I believe superset.wmcloud.org is no longer affected

sbassett claimed this task.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett subscribed.

I believe superset.wmcloud.org is no longer affected

Any reason not to make this task public? I'm not really seeing any unless the separate RCE/secret key issue above is still a concern.

sbassett triaged this task as Medium priority.Feb 5 2024, 5:58 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.