Advisory ID:
NFLX-2020-006
Advisory Title:
SpEL Template injection on Netflix Spinnaker
Author:
Aladdin Almubayed / amubaied@netflix.com
Release Date:
2020-12-08
Application:
Spinnaker
CVE ID
CVE-2020-9301
Source:
https://github.com/spinnaker/spinnaker
Severity:
High
Overview:
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.
Impact:
This issue can lead to Remote Code Execution.
Description:
The pipeline API endpoint in spinnaker is vulnerable to object deserialization via loading of arbitrary YAML strings. This allows for the instantiation of attacker controlled classes, which can lead to arbitrary reading and writing of files as the spinnaker user within the orca container. Specifically, the entire body of a POST request with content type text/plain sent to the vulnerable endpoint will be evaluated with the Spring Expression Language (SpEL) which allows for almost arbitrary code execution with certain limitations. In addition to the standard SpEL features, orca has added some URL fetching and YAML parsing functionality. This additional functionality allows for the instantiation of arbitrary objects via YAML deserialization which allows for the bypass of restrictions in SpEL evaluation. This results in arbitrary file read/write within the orca container.
The Fix
All SnakeYAML-based parsers accepting untrusted input now use the SafeConstructor constructor. This allowlist greatly limits the Java types available during deserialization
Patch:
Spinnaker has been patched please upgrade to spinnaker version 1.23.4, 1.22.4 or 1.21.5 and above