Multiple security vulnerabilities were recently discovered in Galaxy that allow malicious actors to read and write files on the Galaxy server. Additionally, Galaxy servers on which a rarely used feature has been enabled are vulnerable to an arbitrary code execution exploit.
1. A write vulnerability exists in the history import mechanism. It is possible to create a history tar archive that contains files with parent directory components in the file path (e.g. "foo/../../bar" would extract to "../bar"), and these archive members would be written if the user running the Galaxy server had write permission to the given path.
2. A read vulnerability exists in the object store path composition code. Galaxy allows clients to add elements to the end of a path to "extra" files associated with a dataset (as is the case with composite datatypes). These elements were not being checked to ensure they did not contain relative parent references ('..') or did not start with an absolute path character ('/'). Because of this, the dataset display methods could be manipulated to return the contents of any files for which the Galaxy server user had read permission.
3. An arbitrary code execution vulnerability exists in the Galaxy sample tracking system. The sample tracking system included a feature which allowed administrators to browse remote "external services" (such as sequencers) to choose files to transfer to the Galaxy server. This browsing code used a shell invocation which did not sanitize user input. However, this code is only reachable if at least one external service has ever been defined.
The Galaxy Committers would like to thank Youri Hoogstrate at the Erasmus MC, Rotterdam, who initially reported a similar vulnerability in the Tool Shed. Through additional auditing based on this attack vector, we discovered the other vulnerabilities.
This issue affects all known releases of Galaxy in at least the last 3 years.
The read and write vulnerabilities can be exploited to write to any path on the Galaxy server writable by the Galaxy user, which can be potentially destructive to Galaxy configuration files and data.
Additionally, they can be used to read any file available on the system that is readable by the user running the Galaxy server, including Galaxy config files, data, system config files, contents of /proc, etc.
As such, Galaxy administrators are strongly encouraged to update immediately.
The arbitrary code execution vulnerability can be exploited to execute any shell command as the Galaxy user, which is also very dangerous. If your Galaxy instance has had an external service configured at any point in the past, you are strongly encouraged to update immediately.
Fixes for these vulnerabilities have been applied to the 14.10 and newer release branches in the public GitHub and Bitbucket repositories. Galaxy versions older than 14.10 should upgrade (preferably to 16.01). To apply the fix, first identify your current Galaxy release version using the `git branch` or `hg branch` commands. If you are on a 'release_YY.MM' branch, you can update with:
% git pull
% hg pull -u
The process above can also be used to update to the 16.01 release if you are on the 'master' git branch or the 'stable' hg branch. If you are on the 'master'/'stable' branch and wish to remain on your current Galaxy major release, check the 'lib/galaxy/version.py' file to determine your major release version, then update to the appropriate branch:
% git checkout -b release_YY.MM origin/release_YY.MM
% git pull
% hg pull
% hg update release_YY.MM
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
On behalf of the Galaxy Committers,