NFLX-2020-006
SpEL Template injection on Netflix Spinnaker
Aladdin Almubayed / [email protected]
2020-12-08
Spinnaker
CVE-2020-9301
https://github.com/spinnaker/spinnaker
High
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker. The vulnerability exists within the handling of SpEL expressions that allows an attacker to read and write arbitrary files within the orca container via authenticated HTTP POST requests.
This issue can lead to Remote Code Execution.
The pipeline API endpoint in spinnaker is vulnerable to object deserialization via loading of arbitrary YAML strings. This allows for the instantiation of attacker controlled classes, which can lead to arbitrary reading and writing of files as the spinnaker user within the orca container. Specifically, the entire body of a POST request with content type text/plain sent to the vulnerable endpoint will be evaluated with the Spring Expression Language (SpEL) which allows for almost arbitrary code execution with certain limitations. In addition to the standard SpEL features, orca has added some URL fetching and YAML parsing functionality. This additional functionality allows for the instantiation of arbitrary objects via YAML deserialization which allows for the bypass of restrictions in SpEL evaluation. This results in arbitrary file read/write within the orca container.
All SnakeYAML-based parsers accepting untrusted input now use the SafeConstructor constructor. This allowlist greatly limits the Java types available during deserialization
Spinnaker has been patched please upgrade to spinnaker version 1.23.4, 1.22.4 or 1.21.5 and above