Advisory ID:

NFLX-2017-001

Advisory Title:

Authenticated Remote Code Execution and Arbitrary File and URL access in Spinnaker

Author:

Dave King / dking@netflix.com

Release Date:

04/14/2017

Application:

Spinnaker (specifically Orca)

Release:

orca < 1.390.0

Source:

https://github.com/spinnaker/orca

Severity:

Critical

Overview:

Spinnaker includes an implimentation of Spring Expression Language (SpEL) called Pipeline Expression Language that can be used in areas like comments to pull data from external sources to use in pipelines (more info http://www.spinnaker.io/docs/pipeline-expressions-guide#fromurlstring ). It was discovered that you can leverage this feature to gain remote code execution and access arbitrary files and URLs. It is recommended that users update as soon as possible.

Patch:

orca < 1.390.0 https://github.com/spinnaker/orca/releases/tag/v1.390.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nflx-2017-001.md

nflx-2017-001.md

Advisory ID:

Advisory Title:

Author:

Release Date:

Application:

Release:

Source:

Severity:

Overview:

Patch:

Files

nflx-2017-001.md

Latest commit

History

nflx-2017-001.md

File metadata and controls

Advisory ID:

Advisory Title:

Author:

Release Date:

Application:

Release:

Source:

Severity:

Overview:

Patch: