Skip to content

Authenticated remote code execution due to insecure deserialization (GHSL-2022-063)

Critical
tetron published GHSA-8867-q4xf-cqgm Aug 12, 2022

Package

arvados (arvados)

Affected versions

< 2.4.1

Patched versions

2.4.2

Description

Summary

A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2.

This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.

Impact

This issue may lead to Remote Code Execution (RCE)

Workaround

For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation.

Use the TypeScript browser-based "Workbench 2" application, or command line tools.

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Severity

Critical

CVE ID

CVE-2022-36006

Weaknesses

Credits