Galaxy Tool Shed Security Vulnerability - Repository uploads
by Nate Coraor
*DESCRIPTION*
A security vulnerability was recently discovered by Peter Cock at the James
Hutton Institute that would allow a malicious actor to upload new versions
to repositories on which they have not been granted access.
*AFFECTED VERSIONS*
This issue affects versions of the Tool Shed beginning with 15.01. Earlier
versions are not affected.
*IMPACT*
Because the Tool Shed is used to install software in Galaxy, if exploited,
the impact could result in arbitrary code execution on Galaxy servers if a
malicious tool is uploaded to a previously trusted repository, and that
compromised version is subsequently installed by a Galaxy administrator. As
such, Tool Shed administrators are strongly encouraged to update
immediately.
*INSTRUCTIONS*
To apply the fix, first identify your current Galaxy release version using
the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM'
branch, you can update with:
% git pull
or:
% hg pull -u
The process above can also be used to update to the 15.07 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
or:
% hg pull
% hg update release_YY.MM
For the changes to take effect, YOU MUST RESTART ALL TOOL SHED SERVER
PROCESSES.
On behalf of the Galaxy Committers,
--nate
4 years, 12 months
Galaxy Security Vulnerability - Reflected XSS
by Nate Coraor
*DESCRIPTION*
A security vulnerability was recently discovered by Scott B. Szakonyi at
The Center for Research Computing at the University of Notre Dame that
would allow a malicious actor to exploit the workflow import form to cause
a user's browser to execute javascript not originating from within Galaxy.
This could allow the malicious actor to gain unauthorized access to Galaxy
accounts or client data.
*AFFECTED VERSIONS*
This issue affects all known versions of Galaxy.
In early 2015, the Galaxy Team performed a large XSS audit, the results of
which were applied to versions 14.10 and later. Using Galaxy versions
earlier than 14.10 is not advisable.
*IMPACT*
Exploitation of reflected XSS vulnerabilities typically requires some
coordination, but the consequences of exploitation can result in data or
account exposure, so the risk of leaving the issue unfixed is moderate.
Administrators of affected servers are encouraged to update immediately.
*INSTRUCTIONS*
To apply the fix, first identify your current Galaxy release version using
the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM'
branch, you can update with:
% git pull
or:
% hg pull -u
The process above can also be used to update to the 15.07 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
or:
% hg pull
% hg update release_YY.MM
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER
PROCESSES.
On behalf of the Galaxy Committers,
--nate
4 years, 12 months
Galaxy Security Vulnerability - Authentication framework with LDAP
by Nate Coraor
*DESCRIPTION*
A security vulnerability was recently discovered by Nicola Soranzo at The
Genome Analysis Centre that would allow unauthorized access to Galaxy
accounts on Galaxy servers using the LDAP authentication framework plugin.
This is due to the fact that LDAP may be configured to allow anonymous
binds, and the LDAP plugin does not check that binding with the provided
username/password was not anonymous.
*AFFECTED VERSIONS*
The authentication framework is a new feature as of the 15.05 Galaxy
release, so earlier versions are not affected. In versions 15.05 and later,
the LDAP plugin is not used by default, so only Galaxy servers which have
been configured to use this new functionality are affected. Galaxy servers
using upstream delegated authentication (where authentication is performed
by the proxy server, e.g. Apache or nginx) are not affected.
*IMPACT*
Administrators of affected servers are STRONGLY encouraged to update
immediately, as the vulnerability allows unauthorized access to Galaxy
accounts.
*INSTRUCTIONS*
To apply the fix, first identify your current Galaxy release version using
the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM'
branch, you can update with:
% git pull
or:
% hg pull -u
The process above can also be used to update to the 15.07 release if you
are on the 'master' git branch or the 'stable' hg branch. If you are on the
'master'/'stable' branch and wish to remain on your current Galaxy major
release, check the 'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
or:
% hg pull
% hg update release_YY.MM
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER
PROCESSES.
On behalf of the Galaxy Committers,
--nate
4 years, 12 months