Galaxy Security Vulnerability - Arbitrary code execution
by Nate Coraor
*DESCRIPTION*
A security vulnerability was recently discovered by David Wyde in two
Galaxy tools that are provided with and enabled by default in the Galaxy
server. These vulnerabilities allow malicious actors to execute arbitrary
code as the user running the Galaxy server.
The vulnerable tools are "Filter GFF data by attribute" and "Filter GFF
data by feature count", two tools which share code with each other and the
more general "Filter data on any column using simple expressions" tool. The
latter was fixed in a previous security disclosure but these GFF variants
of the tool were missed when updating the Filter tool.
These tools use the Python `eval` and `exec` functions and do not properly
sanitize input to these functions.
Additionally, an XSS vulnerability with the upload tool: An uploaded file's
name was not properly sanitized, and so a specially crafted filename
uploaded to the Galaxy server could be used as an XSS attack vector. This
vulnerability has already been fixed in the 16.07 and 16.10 Galaxy releases.
The Galaxy Committers would like to thank David for disclosing these
vulnerabilities. If you discover security vulnerabilities in Galaxy, please
report them to the Galaxy Committers at
galaxy-committers(a)lists.galaxyproject.org.
*AFFECTED VERSIONS*
These arbitrary code execution vulnerability is present in all known
releases of Galaxy using the default tool config or a tool config in which
these tools are loaded. To determine if your Galaxy server is affected,
check your tool_conf.xml for the following lines:
<tool file="filters/gff/gff_filter_by_attribute.xml" />
<tool file="filters/gff/gff_filter_by_feature_count.xml" />
If you are unsure, you can also check to see if the tools have loaded by
searching for them in your Galaxy server logs, e.g.:
% grep gff_filter paster.log
galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id:
gff_filter_by_attribute, version: 0.1 into tool panel..
galaxy.tools.toolbox.base DEBUG 2016-12-08 13:25:16,930 Loaded tool id:
gff_filter_by_feature_count, version: 0.1 into tool panel..
*IMPACT*
This vulnerability can be exploited to execute arbitrary code as the user
that runs Galaxy jobs on any system where Galaxy runs those jobs
(potentially a cluster). Such code can be used to provide a remote shell to
an attacker, or read/write/delete files that the Galaxy user has
appropriate permissions on.
*SOLUTION*
Multiple solutions exist for the arbitrary code execution vulnerability:
1. Update your Galaxy code. A fix for the issue has been applied to stable
releases of Galaxy back to version 14.10.
2. Disable the affected tools.
3. Patch the affected tools. Patches to fix the vulnerabilities (depending
on the version of Galaxy that you are running) can be found below.
*INSTRUCTIONS*
1. To apply the fix, first identify your current Galaxy release version
using the `git branch` command. If you are on a 'release_YY.MM' branch, you
can update with:
% git pull
The process above can also be used to update to the 16.10 release if you
are on the 'master' git branch. If you are on the 'master' branch and wish
to remain on your current Galaxy major release, check the
'lib/galaxy/version.py' file to determine your major release version, then
update to the appropriate branch:
% git fetch origin
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
2. To disable the tools, locate and remove the following lines from your
tool_conf.xml, then restart Galaxy:
<tool file="filters/gff/gff_filter_by_attribute.xml" />
<tool file="filters/gff/gff_filter_by_feature_count.xml" />
3. To manually patch the tools, use the appropriate patch file below:
For Galaxy releases 16.01 to dev:
https://depot.galaxyproject.org/patch/filter_security_16_01.patch
For Galaxy releases 15.07 to 15.10:
https://depot.galaxyproject.org/patch/filter_security_15_07.patch
For Galaxy releases 14.10 to 15.05:
https://depot.galaxyproject.org/patch/filter_security_14_10.patch
To apply the patch, navigate to the root of your Galaxy directory, then
execute (replacing <patch_url> with the url above appropriate for your
current Galaxy release):
% wget -O filter_security.patch <patch_url>
or:
% curl -o filter_security.patch <patch_url>
and then test applying the patch:
% patch -p1 --dry-run < filter_security.patch
checking file tools/filters/gff/gff_filter_by_attribute.py
checking file tools/filters/gff/gff_filter_by_attribute.xml
checking file tools/filters/gff/gff_filter_by_feature_count.py
checking file tools/filters/gff/gff_filter_by_feature_count.xml
If this succeeds without error (applying successfully with fuzz/offset is
fine), apply with:
% patch -p1 < filter_security.patch
patching file tools/filters/gff/gff_filter_by_attribute.py
patching file tools/filters/gff/gff_filter_by_attribute.xml
patching file tools/filters/gff/gff_filter_by_feature_count.py
patching file tools/filters/gff/gff_filter_by_feature_count.xml
In all cases, for the changes to take effect, *YOU MUST RESTART ALL GALAXY
SERVER PROCESSES*.
On behalf of the Galaxy Committers,
--nate
6 years, 1 month
December Galaxy News: New web site, GAMe deadline extended
by Dave Clements
Hello all,
The *December Galaxy News
<https://new.galaxyproject.org/GalaxyUpdates/2016_12/>* is hot off the
press, *and is was produced on a a hot new press. *Highlights this month
include:
- The *Galaxy Community Hub (the Hub)
<https://new.galaxyproject.org/GalaxyUpdates/2016_12/#galaxy-community-hub...>*
will
be the new home for Galaxy Community documentation, replacing the current
wiki.
- And we are asking for help to get it ready for it's official launch
<https://new.galaxyproject.org/GalaxyUpdates/2016_12/#the-community-hub-co...>
- *Galaxy Australasia Meeting (GAMe 2017)
<https://new.galaxyproject.org/GalaxyUpdates/2016_12/#galaxy-australasia-m...>*:
February 3-9, Melbourne, Victoria, Australia.
- *Talk abstract submission extended to 14 December.*
- *Early registration ends 31 December.*
- And of course, other upcoming events
<https://new.galaxyproject.org/GalaxyUpdates/2016_12/#all-upcoming-events>
too
There are also 60 new publications (including eight featured pubs), four
open positions, two new public Galaxy servers, new releases of Planemo &
Pulsar, and other news too.
Dave Clements and the Galaxy Team
--
http://galaxyproject.org/
http://getgalaxy.org/
http://usegalaxy.org/
https://wiki.galaxyproject.org/
6 years, 1 month