*DESCRIPTION*
A security vulnerability was recently discovered by
David Wyde in two Galaxy tools that are provided with
and enabled by default in the Galaxy server. These
vulnerabilities allow malicious actors to execute
arbitrary code as the user running the Galaxy server.
The vulnerable tools are "Filter GFF data by
attribute" and "Filter GFF data by feature count", two
tools which share code with each other and the more
general "Filter data on any column using simple
expressions" tool. The latter was fixed in a previous
security disclosure but these GFF variants of the tool
were missed when updating the Filter tool.
These tools use the Python `eval` and `exec`
functions and do not properly sanitize input to these
functions.
Additionally, an XSS vulnerability with the upload
tool: An uploaded file's name was not properly
sanitized, and so a specially crafted filename uploaded
to the Galaxy server could be used as an XSS attack
vector. This vulnerability has already been fixed in the
16.07 and 16.10 Galaxy releases.
The Galaxy Committers would like to thank David for
disclosing these vulnerabilities. If you discover
security vulnerabilities in Galaxy, please report them
to the Galaxy Committers at
galaxy-committers@lists.galaxyproject.org.
*AFFECTED VERSIONS*
These arbitrary code execution vulnerability is
present in all known releases of Galaxy using the
default tool config or a tool config in which these
tools are loaded. To determine if your Galaxy server is
affected, check your tool_conf.xml for the following
lines:
<tool
file="filters/gff/gff_filter_by_attribute.xml" />
<tool
file="filters/gff/gff_filter_by_feature_count.xml" />
If you are unsure, you can also check to see if the
tools have loaded by searching for them in your Galaxy
server logs, e.g.:
% grep gff_filter paster.log
galaxy.tools.toolbox.base DEBUG 2016-12-08
13:25:16,930 Loaded tool id: gff_filter_by_attribute,
version: 0.1 into tool panel..
galaxy.tools.toolbox.base DEBUG 2016-12-08
13:25:16,930 Loaded tool id:
gff_filter_by_feature_count, version: 0.1 into tool
panel..
*IMPACT*
This vulnerability can be exploited to execute
arbitrary code as the user that runs Galaxy jobs on any
system where Galaxy runs those jobs (potentially a
cluster). Such code can be used to provide a remote
shell to an attacker, or read/write/delete files that
the Galaxy user has appropriate permissions on.
*SOLUTION*
Multiple solutions exist for the arbitrary code
execution vulnerability:
1. Update your Galaxy code. A fix for the issue has
been applied to stable releases of Galaxy back to
version 14.10.
2. Disable the affected tools.
3. Patch the affected tools. Patches to fix the
vulnerabilities (depending on the version of Galaxy that
you are running) can be found below.
*INSTRUCTIONS*
1. To apply the fix, first identify your current
Galaxy release version using the `git branch` command.
If you are on a 'release_YY.MM' branch, you can update
with:
% git pull
The process above can also be used to update to the
16.10 release if you are on the 'master' git branch.
If you are on the 'master' branch and wish to remain
on your current Galaxy major release, check the
'lib/galaxy/version.py' file to determine your major
release version, then update to the appropriate
branch:
% git fetch origin
% git checkout -b release_YY.MM
origin/release_YY.MM
% git pull
2. To disable the tools, locate and remove the
following lines from your tool_conf.xml, then restart
Galaxy:
<tool
file="filters/gff/gff_filter_by_attribute.xml" />
<tool
file="filters/gff/gff_filter_by_feature_count.xml" />
3. To manually patch the tools, use the appropriate
patch file below:
For Galaxy releases 16.01 to dev:
For Galaxy releases 15.07 to 15.10:
For Galaxy releases 14.10 to 15.05:
To apply the patch, navigate to the root of your
Galaxy directory, then execute (replacing
<patch_url> with the url above appropriate for
your current Galaxy release):
% wget -O filter_security.patch <patch_url>
or:
% curl -o filter_security.patch <patch_url>
and then test applying the patch:
% patch -p1 --dry-run < filter_security.patch
checking file
tools/filters/gff/gff_filter_by_attribute.py
checking file
tools/filters/gff/gff_filter_by_attribute.xml
checking file
tools/filters/gff/gff_filter_by_feature_count.py
checking file
tools/filters/gff/gff_filter_by_feature_count.xml
If this succeeds without error (applying successfully
with fuzz/offset is
fine), apply with:
% patch -p1 < filter_security.patch
patching file
tools/filters/gff/gff_filter_by_attribute.py
patching file
tools/filters/gff/gff_filter_by_attribute.xml
patching file
tools/filters/gff/gff_filter_by_feature_count.py
patching file
tools/filters/gff/gff_filter_by_feature_count.xml
In all cases, for the changes to take effect, *YOU
MUST RESTART ALL GALAXY
SERVER PROCESSES*.
On behalf of the Galaxy Committers,
--nate