NFLX-2020-001
Server-Side Template Injection in Netflix Conductor
Aladdin Almubayed / amubaied@netflix.com
2020-02-24
Conductor
CVE-2020-9296
https://github.com/Netflix/conductor
High
The GitHub Security Labs team (@pwntester) identified a security vulnerability in Netflix Conductor. The vulnerability discovered allows an attacker to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability.
This issue may lead to Remote Code Execution in Netflix Conductor versions <= v2.25.3
Netflix Conductor uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Conductor has been patched as of 24 Feb 2020. The fix updated validation code to use Apache bval rather than hibernate-validator, which is vulnerable.
Users of Conductor should adopt the patched version of Conductor (>=v2.25.3). Netflix/conductor#1543