Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict path segments in TenantIDs (CVE-2021-36156 CVE-2021-36157) #4020

Merged
merged 1 commit into from
Jul 21, 2021
Merged

Restrict path segments in TenantIDs (CVE-2021-36156 CVE-2021-36157) #4020

merged 1 commit into from
Jul 21, 2021

Conversation

simonswine
Copy link
Contributor

@simonswine simonswine commented Jul 21, 2021
edited
Loading

What this PR does:

Updates cortex dependency to prevent paths derived from TenantIDs to become vulnerable to path traversal attacks. CVE-2021-36156 CVE-2021-36157

Edit added more details.

An attacker, with suitable access, could trick Loki into sending the contents of files it has access to.

The vulnerability is that the header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to say something like ../../sensitive/path/in/deployment then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

Other Loki API requests can also be sent a malicious OrgID header, e.g. tricking the ingester into writing metrics to a different location, but the effect is nuisance rather than disclosure.

Mitigations:

  • If you have a proxy in front of Loki that supplies the OrgID header, so it cannot be crafted by an attacker, then you are not vulnerable. We always recommend such a proxy

  • If you run Loki with limited access to sensitive files, e.g. in a container or chroot, and as a user with limited access, then this will constrain the vulnerability to that access.

@simonswine simonswine requested a review from a team as a code owner July 21, 2021 13:36
@simonswine simonswine force-pushed the 20210721_invalidate-path-segements-in-orgid branch from 1388334 to c16be9c Compare July 21, 2021 13:37
slim-bean
slim-bean approved these changes Jul 21, 2021
View reviewed changes
Copy link
Collaborator

@slim-bean slim-bean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@simonswine
Restrict path segments in TenantIDs
39db6f2 
Updates cortex dependency to prevent paths derived from TenantIDs to
become vulnerable to path traversal attacks. CVE-2021-36156
CVE-2021-36157

Signed-off-by: Christian Simon <simon@swine.de>
@simonswine simonswine force-pushed the 20210721_invalidate-path-segements-in-orgid branch from c16be9c to 39db6f2 Compare July 21, 2021 13:42
@slim-bean slim-bean merged commit 2fd633c into grafana:main Jul 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slim-bean slim-bean slim-bean approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simonswine @slim-bean