OpenStack Dashboard (Horizon)

CVE-2019-10768 in Angular libs < 1.7.9

Bug #1997545 reported by Jakub Darmach
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Our organisation was contacted by an ethical hacker - notifying about security vulnerability. Wallaby Horizon seems to be vulnerable to prototype pollution, identified in CVE-2019-10768.

"In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload."

We'd need to update Xstatic-angular above 1.7.9 - which I think happens in:
https://github.com/openstack/horizon/commit/a31da2484427425dc453269d591acebeffa99d3b

We should backport this back down to Wallaby/Xena if possible.
__________________________

Details from original message below:

Summary :
An object.prototype pollution vulnerability exists in the Angular JS used in the website.In AngularJS there are some versions that have the function merge() which can be used by an attacker for adding or modifying properties of Object.prototype using a __proto__ payload.

Steps to Reproduce:

Step 1: Enter the following URL https://XXXXhorizonXXXX/auth/login/?next=/
Step 2: Press F12 or Right-click and click on inspect element
Step 3: Enter the below payload in the console.

Payloads:
angular.merge({}, JSON.parse('{"__proto__": {"xxx": "polluted"}}'));
console.log(({}).xxx);

Step 4: Now check if console.log outputs the "polluted".

Impact:
The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection.

References materials:
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-534884
https://hackerone.com/reports/878394

CVE References

Jakub Darmach (darmachj)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

OpenStack assumes security-sensitive deployments are consuming dependencies of its projects from a distribution which patches security vulnerabilities in them. As such, we don't backport changes to stable branches related to supporting different versions of dependencies, and expect downstream distributions to maintain secured forks of those dependencies as necessary. We freeze the versions of dependencies we test with at release time, in order to stabilize our CI for the corresponding stable branches and to emulate as closely as possible what versions are being carried by distributions contemporary with the initial release.

This is probably a duplicate of already public bug 1955556, but I'll let the Horizon reviewers confirm before switching it to public.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I think this can be switched to Public. The vulnerabilities in AngularJS in the bug description are public information and we also have similar public security bug at https://bugs.launchpad.net/horizon/+bug/1955556. I see no reason to keep this private.

AngularJS requirement in horizon was updated to 1.8.2 in Zed (as part of https://bugs.launchpad.net/horizon/+bug/1927261 ). This bug can be considered as a request to stable branches before Zed.

Sorry for late.

Jeremy Stanley (fungi)
description: updated
Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.