[CVE-2017-17042] Update ruby plugins for vulnerable yard dependency

[majormoses]

Update yard gems to 0.9.11+ to mitigate issue: https://nvd.nist.gov/vuln/detail/CVE-2017-17042 This is a high severity largely because it can be exploited over the network and could be used to exfiltrate data by reading sensitive files. It should be a relatively easy to divide and conquer. If anyone would like to help out please comment here claiming which ones you will work on. I will start at the top and work my way down skipping any that are claimed. While we do not explicitly call out the use of ### Security in our changelog guidelines there is mention of such in the keep a changelog guidelines which we are based on.

Github is the best:

Quick and dirty to find list of affected gems:

$ curl -s https://rubygems.org/api/v1/owners/Sensu_Plugins/gems.json | jq -cM '.[] | select(.dependencies.development[].name=="yard" and .dependencies.development[].requirements=="~> 0.8")' | jq -cMr .name | grep -v donotuse | sort | sed -e 's/^/- [ ] /'

Plugins needing updates:

• sensu-plugins-ansible
• sensu-plugins-apache
• sensu-plugins-aws
• sensu-plugins-azure
• sensu-plugins-azurerm
• sensu-plugins-beanstalk
• sensu-plugins-bluepill
• sensu-plugins-boundary
• sensu-plugins-campfire
• sensu-plugins-cassandra
• sensu-plugins-ceph
• sensu-plugins-cgroups
• sensu-plugins-chatwork
• sensu-plugins-chef
• sensu-plugins-chrony
• sensu-plugins-clockworksms
• sensu-plugins-conntrack
• sensu-plugins-consul
• sensu-plugins-couchbase
• sensu-plugins-couchdb
• sensu-plugins-cpu-checks
• sensu-plugins-cucumber
• sensu-plugins-dashing
• sensu-plugins-datadog
• sensu-plugins-dcos
• sensu-plugins-dhcp
• sensu-plugins-disk-checks
• sensu-plugins-dns
• sensu-plugins-docker
• sensu-plugins-eep
• sensu-plugins-elasticsearch
• sensu-plugins-entropy-checks
• sensu-plugins-environmental-checks
• sensu-plugins-erlang
• sensu-plugins-etcd
• sensu-plugins-execute
• sensu-plugins-eye
• sensu-plugins-filesystem-checks
• sensu-plugins-flowdock
• sensu-plugins-fluentd
• sensu-plugins-freeradius
• sensu-plugins-ftp
• sensu-plugins-gearman
• sensu-plugins-geckoboard
• sensu-plugins-gelf
• sensu-plugins-github
• sensu-plugins-gluster
• sensu-plugins-golang
• sensu-plugins-google-spreadsheets
• sensu-plugins-gpg
• sensu-plugins-graphite
• sensu-plugins-graylog
• sensu-plugins-greylog
• sensu-plugins-growthforecast
• sensu-plugins-gtalk
• sensu-plugins-haproxy
• sensu-plugins-hardware
• sensu-plugins-hbase
• sensu-plugins-hipchat
• sensu-plugins-http
• sensu-plugins-hubot
• sensu-plugins-icecast
• sensu-plugins-iis
• sensu-plugins-imap
• sensu-plugins-imkayac
• sensu-plugins-influxdb
• sensu-plugins-io-checks
• sensu-plugins-ipmi
• sensu-plugins-ipvs
• sensu-plugins-irc
• sensu-plugins-java
• sensu-plugins-jenkins
• sensu-plugins-jolokia
• sensu-plugins-kannel
• sensu-plugins-kegbot
• sensu-plugins-kubernetes
• sensu-plugins-librato
• sensu-plugins-load-checks
• sensu-plugins-logs
• sensu-plugins-logstash
• sensu-plugins-lvm
• sensu-plugins-lxc
• sensu-plugins-mackerel
• sensu-plugins-mailer
• sensu-plugins-mailgun
• sensu-plugins-memcached
• sensu-plugins-memory-checks
• sensu-plugins-mesos
• sensu-plugins-messagemedia
• sensu-plugins-microsoft-teams
• sensu-plugins-mongodb
• sensu-plugins-monit
• sensu-plugins-mysql
• sensu-plugins-nbzget
• sensu-plugins-netscaler
• sensu-plugins-network-checks
• sensu-plugins-newrelic
• sensu-plugins-nginx
• sensu-plugins-ngnix
• sensu-plugins-nrpe
• sensu-plugins-ntp
• sensu-plugins-nvidia
• sensu-plugins-officehours
• sensu-plugins-openldap
• sensu-plugins-openstack
• sensu-plugins-opentsdb
• sensu-plugins-openvpn
• sensu-plugins-opsgenie
• sensu-plugins-pacemaker
• sensu-plugins-pagerduty
• sensu-plugins-pdns
• sensu-plugins-percona
• sensu-plugins-php-fpm
• sensu-plugins-pingdom
• sensu-plugins-ponymailer
• sensu-plugins-postfix
• sensu-plugins-postgres
• sensu-plugins-process-checks
• sensu-plugins-puma
• sensu-plugins-puppet
• sensu-plugins-pushover
• sensu-plugins-qmail
• sensu-plugins-rabbitmq
• sensu-plugins-raid-checks
• sensu-plugins-redis
• sensu-plugins-request-tracker
• sensu-plugins-resque
• sensu-plugins-rethinkdb
• sensu-plugins-riak
• sensu-plugins-riemann
• sensu-plugins-rspec
• sensu-plugins-selinux
• sensu-plugins-selinx
• sensu-plugins-sensu
• sensu-plugins-sensu-plugins-fluentd
• sensu-plugins-sentry
• sensu-plugins-serverspec
• sensu-plugins-sftp
• sensu-plugins-sidekiq
• sensu-plugins-signifai
• sensu-plugins-sip
• sensu-plugins-skyline
• sensu-plugins-slack
• sensu-plugins-sms
• sensu-plugins-snmp
• sensu-plugins-solr
• sensu-plugins-splunk
• sensu-plugins-springboot
• sensu-plugins-ssl
• sensu-plugins-statuspage
• sensu-plugins-strongswan
• sensu-plugins-supervisor
• sensu-plugins-switchvox
• sensu-plugins-syslog-ng
• sensu-plugins-systemd
• sensu-plugins-talker
• sensu-plugins-telapi
• sensu-plugins-telegram
• sensu-plugins-tempodb
• sensu-plugins-tomcat
• sensu-plugins-traffic-server
• sensu-plugins-tripwire
• sensu-plugins-twemproxy
• sensu-plugins-twilio
• sensu-plugins-twitter
• sensu-plugins-ubiquiti
• sensu-plugins-uchiwa
• sensu-plugins-unicorn
• sensu-plugins-ups
• sensu-plugins-uptime-checks
• sensu-plugins-varnish
• sensu-plugins-victorops
• sensu-plugins-vmstats
• sensu-plugins-windows
• sensu-plugins-wordpress
• sensu-plugins-xen
• sensu-plugins-xmpp
• sensu-plugins-youtube
• sensu-plugins-zendesk
• sensu-plugins-zookeeper

[majormoses]

If you are using bundler for dependency management on your production environments please make sure you use bundle install --without development to avoid installing these on servers. How to evaluate the severity as it impacts you:

Local development machines

This is a high risk as you typically install via bundler and would not use --without development.

Servers

• If using bundler: High unless you properly use --without development, otherwise medium.
• If manually defining your dependencies and passing them to gem install directly then it is medium
• You should take special note if you use sensu plugins and give wider privileges than necessary, if so this is even more terrifying as it could be used to exfiltrate more sensitive information than normally allowed as the exfiltration would at least be limited to whatever the user that executes has access to.

[cwjohnston]

@majormoses thanks for your work here documenting the need to upgrade dependencies and keep our community up-to-date and free of security vulnerabilities.

I think it is important that the work you've described here move forward expeditiously, but I want to chime in to help others who find this issue understand how this vulnerability might affect their systems when installing gem artifacts from these projects.

As you've mentioned, using Bundler to install a defined set of gems will likely pull in these development dependencies. I think the situation is different for those using sensu-install or the embedded gem executables to install single gem packages.

In reviewing a sample of sensu-plugin projects described in the Github issue, I have manually installed some of these projects using sensu-install and I have observed that development dependencies like yard and rubocop are not in fact installed as a side-effect of using sensu-install or gem commands.

Folks can test this for themselves by installing any of the projects listed in the original post here via /usr/bin/sensu-install, and then use the /opt/sensu/embedded/bin/gem executable to list installed gems, e.g.:

root@sensu:~# sensu-install -p sensu-plugins-apache
[SENSU-INSTALL] installing Sensu plugins ...
[SENSU-INSTALL] determining if Sensu gem 'sensu-plugins-apache' is already installed ...
false
[SENSU-INSTALL] Sensu plugin gems to be installed: ["sensu-plugins-apache"]
[SENSU-INSTALL] installing Sensu gem 'sensu-plugins-apache'
Fetching: sensu-plugins-apache-2.0.0.gem (100%)
You can use the embedded Ruby by setting EMBEDDED_RUBY=true in /etc/default/sensu
Successfully installed sensu-plugins-apache-2.0.0
1 gem installed
[SENSU-INSTALL] successfully installed Sensu plugins: ["sensu-plugins-apache"]
root@sensu:~# /opt/sensu/embedded/bin/gem list | grep apache
sensu-plugins-apache (2.0.0)
root@sensu:~# /opt/sensu/embedded/bin/gem list | grep yard
root@sensu:~# /opt/sensu/embedded/bin/gem list | grep rubocop
root@sensu:~#