tari created AMBARI-26059:
-----------------------------
Summary: Imporve ambari-server ProcessBuilder security
Key: AMBARI-26059
URL: https://issues.apache.org/jira/browse/AMBARI-26059
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.7.8, 2.1.0, 2.3.0, 2.2.2, 2.4.4, 2.5.3, 2.6.2, 2.8.0
Reporter: tari
Attachments: image-2024-03-02-10-47-54-706.png
Apache Ambari version: 2.1.0-rc0 to 2.8.0-rc1 allows a malicious authenticated
user to execute arbitrary command remotely. Just like `touch /tmp/pwn` can
execute any command of the below screenshot.
!image-2024-03-02-10-47-54-706.png!
I think we should not use `sh -c` or `cmd /c` to execute shell command which
lead to command injection.
To fix this issue, that's two-step we should follow:
# Replace `sh -c` or `cmd /c` to parameterized command execution
# The above fix the way using some special char like `$..... to inject evil
command to `script` var, but it can't prevent the path traversal to execute
evil command, if any input content in `properties` contain `..` we should block
it and return failed tip to front end
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
