[ECODP-dev] Important: ODP - CKAN security upgrade and restricting API access
Bert Van Nuffelen
bert.van.nuffelen at tenforce.com
Wed Aug 7 07:43:57 UTC 2013
Hi Olivier,
we are already considering this.
Best,
Bert
2013/8/7 ISOARD Olivier (OP) <Olivier.ISOARD at publications.europa.eu>
> Hi Darwin,****
>
> ** **
>
> We've already implemented a drastic filter at our big-ip's level which
> completely disable the access to CKAN API (…/data/api*). Any request to
> access over there is redirected to the home page. ****
>
> ** **
>
> About the coming patch, could you please discuss with 10F because they
> also prepare a delivery for new version of SEMMAP and it would be prefer if
> we can combine both elements in one single delivery ;-)****
>
> ** **
>
> Best regards****
>
> ** **
>
> Olivier****
>
> ** **
>
> ** **
>
> *From:* Darwin Peltan [mailto:darwin.peltan at okfn.org]
> *Sent:* Tuesday, August 06, 2013 4:41 PM
> *To:* ISOARD Olivier (OP)
> *Cc:* Project list for EC ODP CKAN project; ZAJAC Agnieszka (OP); HOHN
> Norbert (OP); Gavin Chait; Laura James; Bert Van Nuffelen (
> bert.van.nuffelen at tenforce.com)
> *Subject:* Re: Important: ODP - CKAN security upgrade and restricting API
> access****
>
> ** **
>
> Hi Olivier,****
>
> ** **
>
> Thanks for your email. We will be releasing the patch next Tuesday to give
> portal owners a bit more time to prepare. Please can you confirm that your
> proxy server will be updated by then?****
>
> ** **
>
> Best,****
>
> ** **
>
> Darwin****
>
>
> ****
>
> *Darwin Peltan*****
>
> *Project Manager** | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
> *****
>
> *The Open Knowledge Foundation <http://okfn.org/>*****
>
> *Empowering through Open Knowledge*****
>
> *http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> |
> Blog <http://blog.okfn.org/> | Newsletter<http://okfn.org/about/newsletter>
> *****
>
> *
> **CKAN | **http://ckan.org** |** @ckanproject<http://twitter.com/ckanproject>
> ** | open source data management platform*****
>
> ** **
>
> On 6 August 2013 06:59, ISOARD Olivier (OP) <
> Olivier.ISOARD at publications.europa.eu> wrote:****
>
> Hi Darwin,****
>
> ****
>
> Thanks for your message. We will take all necessary action ASAP.****
>
> ****
>
> About the delivery of a hotfix, feel free to organize it. ****
>
> ****
>
> Let's call it 00.09.02****
>
> ****
>
> Regards****
>
> Olivier****
>
> ****
>
> ****
>
> *From:* Darwin Peltan [mailto:darwin.peltan at okfn.org]
> *Sent:* Monday, August 05, 2013 5:37 PM
> *To:* ISOARD Olivier (OP); Project list for EC ODP CKAN project; ZAJAC
> Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James
> *Subject:* Important: CKAN security upgrade and restricting API access****
>
> ****
>
> Dear Olivier,****
>
> Last week we identified an issue with the CKAN API that could potentially
> allow users to access the API with higher privileges than they should have.
> We discovered this vulnerability during our own development work and have
> no reason to believe that it is known to anyone outside the OKF team. We
> have created a patch and we would like to work with you ensure that EU ODP
> site is protected from the vulnerability as quickly as possible. Therefore
> please see the details below. ****
>
> The vulnerability exists in the "/api/action/user_update" API call so the
> first step is to ensure that this action isn't available to any external
> users. In previous discussions around the security of the site (during work
> on release 07.50) we agreed that certain URLS and API calls (including all
> "user" actions) would be blocked from the outside world by your proxy
> server (Big IP). However looking at the API it looks like these rules
> haven't all been implemented. Therefore we need to ensure that the proxy
> configuration is changed as soon as possible. This will protect the site
> from the vulnerability until the patch is deployed.****
>
> You can see the details of the URL's which need to be blocked at the link
> below****
>
>
> https://docs.google.com/a/okfn.org/document/d/1MoTsSe3kcQF1F7LeYI7pGEs9KvHX13E8jYSJV90RLDM/edit
> ****
>
> Blocking these URLS at the proxy will prevent external users accessing
> the affected API call so will protect the currently deployed release (08.x)
> and release 09.01. ****
>
> The next step is to create a new EU ODP release containing a small patch
> which removes the issue with that API call. This is a small code change so
> will be easy to deploy (no database migrations etc are required) but it
> will require 10F to create a new RPM. We will also release an updated
> version of CKAN at the same time so we would like to make sure that your
> proxy configuration has been updated before then. (We won't be announcing
> the vulnerability when we release the new version but it would be best to
> have the proxy changes in place before it's released.)****
>
> Therefore please see below the suggested timeline****
>
> * PO to update proxy configuration as soon as possible****
>
> * OKF to commit patch to project - Thursday****
>
> * 10F to create new RPM and send to PO - Thursday onwards****
>
> We would like to release the CKAN upgrade to the CKAN community on
> Thursday - Therefore please can you let me know ASAP if you won't be able
> to update your proxy configuration by then? ****
>
> I'm afraid I'm out of the office tomorrow morning and so will probably not
> be able to join the weekly update call but David and John are available via
> email to answer any questions you might have. I'm also available for a call
> in the afternoon if that would be helpful.****
>
> Kind regards,****
>
> Darwin****
>
>
> ****
>
> *Darwin Peltan*****
>
> *Project Manager | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
> *****
>
> *The Open Knowledge Foundation <http://okfn.org/>*****
>
> *Empowering through Open Knowledge*****
>
> *http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> |
> Blog <http://blog.okfn.org/> | Newsletter<http://okfn.org/about/newsletter>
> *****
>
> *
> CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject> |
> open source data management platform*****
>
> ** **
>
--
Bert Van Nuffelen
Semantic Technologies Software Architect at TenForce
www.tenforce.be
Bert.Van.Nuffelen at tenforce.com
Office: +32 (0)16 31 48 60
Mobile:+32 479 06 24 26
skype: bert.van.nuffelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130807/e1038888/attachment.html>
More information about the ecodp-dev
mailing list