[ECODP-dev] Important: ODP - CKAN security upgrade and restricting API access

ISOARD Olivier (OP) Olivier.ISOARD at publications.europa.eu
Wed Aug 7 07:56:57 UTC 2013 

Hi,

Perfect then ☺

Olivier

From: Bert Van Nuffelen [mailto:bert.van.nuffelen at tenforce.com]
Sent: Wednesday, August 07, 2013 9:44 AM
To: ISOARD Olivier (OP)
Cc: Darwin Peltan; Project list for EC ODP CKAN project; ZAJAC Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James
Subject: Re: Important: ODP - CKAN security upgrade and restricting API access

Hi Olivier,
we are already considering this.
Best,
Bert

2013/8/7 ISOARD Olivier (OP) <Olivier.ISOARD at publications.europa.eu<mailto:Olivier.ISOARD at publications.europa.eu>>
Hi Darwin,

We've already implemented a drastic filter at our big-ip's level which completely disable the access to CKAN API  (…/data/api*). Any request to access over there is redirected to the home page.

About the coming patch, could you please discuss with 10F because they also prepare a delivery for new version of SEMMAP and it would be prefer if we can combine both elements in one single delivery ;-)

Best regards

Olivier


From: Darwin Peltan [mailto:darwin.peltan at okfn.org<mailto:darwin.peltan at okfn.org>]
Sent: Tuesday, August 06, 2013 4:41 PM
To: ISOARD Olivier (OP)
Cc: Project list for EC ODP CKAN project; ZAJAC Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James; Bert Van Nuffelen (bert.van.nuffelen at tenforce.com<mailto:bert.van.nuffelen at tenforce.com>)
Subject: Re: Important: ODP - CKAN security upgrade and restricting API access

Hi Olivier,

Thanks for your email. We will be releasing the patch next Tuesday to give portal owners a bit more time to prepare. Please can you confirm that your proxy server will be updated by then?

Best,

Darwin


Darwin Peltan

Project Manager  |  skype: darwinp  |  twitter: @darwin<http://twitter.com/darwin>

The Open Knowledge Foundation<http://okfn.org/>

Empowering through Open Knowledge

http://okfn.org/  |  @okfn<http://twitter.com/OKFN>  |  OKF on Facebook<https://www.facebook.com/OKFNetwork>  |  Blog<http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>

CKAN | http://ckan.org<http://ckan.org/> | @ckanproject<http://twitter.com/ckanproject> | open source data management platform

On 6 August 2013 06:59, ISOARD Olivier (OP) <Olivier.ISOARD at publications.europa.eu<mailto:Olivier.ISOARD at publications.europa.eu>> wrote:
Hi Darwin,

Thanks for your message. We will take all necessary action ASAP.

About the delivery of a hotfix, feel free to organize it.

Let's call it 00.09.02

Regards
Olivier


From: Darwin Peltan [mailto:darwin.peltan at okfn.org<mailto:darwin.peltan at okfn.org>]
Sent: Monday, August 05, 2013 5:37 PM
To: ISOARD Olivier (OP); Project list for EC ODP CKAN project; ZAJAC Agnieszka (OP); HOHN Norbert (OP); Gavin Chait; Laura James
Subject: Important: CKAN security upgrade and restricting API access

Dear Olivier,
Last week we identified an issue with the CKAN API that could potentially allow users to access the API with higher privileges than they should have. We discovered this vulnerability during our own development work and have no reason to believe that it is known to anyone outside the OKF team. We have created a patch and we would like to work with you ensure that EU ODP site is protected from the vulnerability as quickly as possible. Therefore please see the details below.
The vulnerability exists in the "/api/action/user_update" API call so the first step is to ensure that this action isn't available to any external users. In previous discussions around the security of the site (during work on release 07.50) we agreed that certain URLS and API calls (including all "user" actions) would be blocked from the outside world by your proxy server (Big IP). However looking at the API it looks like these rules haven't all been implemented. Therefore we need to ensure that the proxy configuration is changed as soon as possible. This will protect the site from the vulnerability until the patch is deployed.
You can see the details of the URL's which need to be blocked at the link below
https://docs.google.com/a/okfn.org/document/d/1MoTsSe3kcQF1F7LeYI7pGEs9KvHX13E8jYSJV90RLDM/edit
Blocking these URLS at the proxy will prevent  external users accessing the affected API call so will protect the currently deployed release (08.x) and release 09.01.
The next step is to create a new EU ODP release containing a small patch which removes the issue with that API call.  This is a small code change so will be easy to deploy (no database migrations etc are required) but it will require 10F to create a new RPM. We will also release an updated version of CKAN at the same time so we would like to make sure that your proxy configuration has been updated before then. (We won't be announcing the vulnerability when we release the new version but it would be best to have the proxy changes in place before it's released.)
Therefore please see below the suggested timeline
* PO to update proxy configuration as soon as possible
* OKF to commit patch to project - Thursday
* 10F to create new RPM and send to PO - Thursday onwards
We would like to release the CKAN upgrade to the CKAN community on Thursday - Therefore please can you let me know ASAP if you won't be able to update your proxy configuration by then?
I'm afraid I'm out of the office tomorrow morning and so will probably not be able to join the weekly update call but David and John are available via email to answer any questions you might have. I'm also available for a call in the afternoon if that would be helpful.
Kind regards,
Darwin


Darwin Peltan

Project Manager  |  skype: darwinp  |  twitter: @darwin<http://twitter.com/darwin>

The Open Knowledge Foundation<http://okfn.org/>

Empowering through Open Knowledge

http://okfn.org/  |  @okfn<http://twitter.com/OKFN>  |  OKF on Facebook<https://www.facebook.com/OKFNetwork>  |  Blog<http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>

CKAN | http://ckan.org<http://ckan.org/> | @ckanproject<http://twitter.com/ckanproject> | open source data management platform




--
Bert Van Nuffelen

Semantic Technologies Software Architect at TenForce
www.tenforce.be<http://www.tenforce.be>

Bert.Van.Nuffelen at tenforce.com<mailto:Bert.Van.Nuffelen at tenforce.com>
Office: +32 (0)16 31 48 60
Mobile:+32 479 06 24 26
skype: bert.van.nuffelen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130807/01449016/attachment.html>

More information about the ecodp-dev mailing list