[ECODP-dev] Important: ODP - CKAN security upgrade and restricting API access
ISOARD Olivier (OP)
Olivier.ISOARD at publications.europa.eu
Tue Aug 6 05:59:28 UTC 2013
Hi Darwin,
Thanks for your message. We will take all necessary action ASAP.
About the delivery of a hotfix, feel free to organize it.
Let's call it 00.09.02
Regards
Olivier
From: Darwin Peltan [mailto:darwin.peltan at okfn.org]
Sent: Monday, August 05, 2013 5:37 PM
To: ISOARD Olivier (OP); Project list for EC ODP CKAN project; ZAJAC Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James
Subject: Important: CKAN security upgrade and restricting API access
Dear Olivier,
Last week we identified an issue with the CKAN API that could potentially allow users to access the API with higher privileges than they should have. We discovered this vulnerability during our own development work and have no reason to believe that it is known to anyone outside the OKF team. We have created a patch and we would like to work with you ensure that EU ODP site is protected from the vulnerability as quickly as possible. Therefore please see the details below.
The vulnerability exists in the "/api/action/user_update" API call so the first step is to ensure that this action isn't available to any external users. In previous discussions around the security of the site (during work on release 07.50) we agreed that certain URLS and API calls (including all "user" actions) would be blocked from the outside world by your proxy server (Big IP). However looking at the API it looks like these rules haven't all been implemented. Therefore we need to ensure that the proxy configuration is changed as soon as possible. This will protect the site from the vulnerability until the patch is deployed.
You can see the details of the URL's which need to be blocked at the link below
https://docs.google.com/a/okfn.org/document/d/1MoTsSe3kcQF1F7LeYI7pGEs9KvHX13E8jYSJV90RLDM/edit
Blocking these URLS at the proxy will prevent external users accessing the affected API call so will protect the currently deployed release (08.x) and release 09.01.
The next step is to create a new EU ODP release containing a small patch which removes the issue with that API call. This is a small code change so will be easy to deploy (no database migrations etc are required) but it will require 10F to create a new RPM. We will also release an updated version of CKAN at the same time so we would like to make sure that your proxy configuration has been updated before then. (We won't be announcing the vulnerability when we release the new version but it would be best to have the proxy changes in place before it's released.)
Therefore please see below the suggested timeline
* PO to update proxy configuration as soon as possible
* OKF to commit patch to project - Thursday
* 10F to create new RPM and send to PO - Thursday onwards
We would like to release the CKAN upgrade to the CKAN community on Thursday - Therefore please can you let me know ASAP if you won't be able to update your proxy configuration by then?
I'm afraid I'm out of the office tomorrow morning and so will probably not be able to join the weekly update call but David and John are available via email to answer any questions you might have. I'm also available for a call in the afternoon if that would be helpful.
Kind regards,
Darwin
Darwin Peltan
Project Manager | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
The Open Knowledge Foundation<http://okfn.org/>
Empowering through Open Knowledge
http://okfn.org/ | @okfn<http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> | Blog<http://blog.okfn.org/> | Newsletter<http://okfn.org/about/newsletter>
CKAN | http://ckan.org<http://ckan.org/> | @ckanproject<http://twitter.com/ckanproject> | open source data management platform
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130806/e92024c4/attachment.html>
More information about the ecodp-dev
mailing list