[ECODP-dev] Important: ODP - CKAN security upgrade and restricting API access

Tue Aug 6 14:41:27 UTC 2013

Hi Olivier,

Thanks for your email. We will be releasing the patch next Tuesday to give
portal owners a bit more time to prepare. Please can you confirm that your
proxy server will be updated by then?

Best,

Darwin

*Darwin Peltan*

*Project Manager  |  skype: darwinp  |  twitter:
@darwin<http://twitter.com/darwin>
*

*The Open Knowledge Foundation <http://okfn.org/>*

*Empowering through Open Knowledge*

*http://okfn.org/  |  @okfn <http://twitter.com/OKFN>  |  OKF on
Facebook<https://www.facebook.com/OKFNetwork> |
Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>
*
*
CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject>
|open source data management platform
*

On 6 August 2013 06:59, ISOARD Olivier (OP) <
Olivier.ISOARD at publications.europa.eu> wrote:

>  Hi Darwin,****
>
> ** **
>
> Thanks for your message. We will take all necessary action ASAP.****
>
> ** **
>
> About the delivery of a hotfix, feel free to organize it. ****
>
> ** **
>
> Let's call it 00.09.02****
>
> ** **
>
> Regards****
>
> Olivier****
>
> ** **
>
> ** **
>
> *From:* Darwin Peltan [mailto:darwin.peltan at okfn.org]
> *Sent:* Monday, August 05, 2013 5:37 PM
> *To:* ISOARD Olivier (OP); Project list for EC ODP CKAN project; ZAJAC
> Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James
> *Subject:* Important: CKAN security upgrade and restricting API access****
>
> ** **
>
> Dear Olivier,****
>
> Last week we identified an issue with the CKAN API that could potentially
> allow users to access the API with higher privileges than they should have.
> We discovered this vulnerability during our own development work and have
> no reason to believe that it is known to anyone outside the OKF team. We
> have created a patch and we would like to work with you ensure that EU ODP
> site is protected from the vulnerability as quickly as possible. Therefore
> please see the details below.  ****
>
> The vulnerability exists in the "/api/action/user_update" API call so the
> first step is to ensure that this action isn't available to any external
> users. In previous discussions around the security of the site (during work
> on release 07.50) we agreed that certain URLS and API calls (including all
> "user" actions) would be blocked from the outside world by your proxy
> server (Big IP). However looking at the API it looks like these rules
> haven't all been implemented. Therefore we need to ensure that the proxy
> configuration is changed as soon as possible. This will protect the site
> from the vulnerability until the patch is deployed.****
>
> You can see the details of the URL's which need to be blocked at the link
> below****
>
>
> https://docs.google.com/a/okfn.org/document/d/1MoTsSe3kcQF1F7LeYI7pGEs9KvHX13E8jYSJV90RLDM/edit
> ****
>
> Blocking these URLS at the proxy will prevent  external users accessing
> the affected API call so will protect the currently deployed release (08.x)
> and release 09.01. ****
>
> The next step is to create a new EU ODP release containing a small patch
> which removes the issue with that API call.  This is a small code change so
> will be easy to deploy (no database migrations etc are required) but it
> will require 10F to create a new RPM. We will also release an updated
> version of CKAN at the same time so we would like to make sure that your
> proxy configuration has been updated before then. (We won't be announcing
> the vulnerability when we release the new version but it would be best to
> have the proxy changes in place before it's released.)****
>
> Therefore please see below the suggested timeline****
>
> * PO to update proxy configuration as soon as possible****
>
> * OKF to commit patch to project - Thursday****
>
> * 10F to create new RPM and send to PO - Thursday onwards****
>
> We would like to release the CKAN upgrade to the CKAN community on
> Thursday - Therefore please can you let me know ASAP if you won't be able
> to update your proxy configuration by then? ****
>
> I'm afraid I'm out of the office tomorrow morning and so will probably not
> be able to join the weekly update call but David and John are available via
> email to answer any questions you might have. I'm also available for a call
> in the afternoon if that would be helpful.****
>
> Kind regards,****
>
> Darwin****
>
>
> ****
>
> *Darwin Peltan*****
>
> *Project Manager**  |  skype: darwinp  |  twitter: @darwin<http://twitter.com/darwin>
> *****
>
> *The Open Knowledge Foundation <http://okfn.org/>*****
>
> *Empowering through Open Knowledge*****
>
> *http://okfn.org/  |  @okfn <http://twitter.com/OKFN>  |  OKF on Facebook<https://www.facebook.com/OKFNetwork> |
> Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>
> *****
>
> *
> CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject> |
> open source data management platform*****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130806/b18e9e60/attachment.html>