Riak Security Alert

Mark Phillips mark at basho.com
Wed Jun 20 13:16:42 EDT 2012


*Hi All, *
*
*
*Ben Murphy has notified us of a vulnerability[1] that can be executed
against Riak's HTTP API. Basho immediately assigned Engineers to work with
the reporter to both verify the vulnerability and to identify a patch.  We
have confirmed that this vulnerability affects all versions of Riak.

We are releasing both a security patch (for Riak versions 1.0.3 and 1.1.2)
and a full 1.1.4 security release.  We advise all users of Riak to either
apply the appropriate patch or upgrade to 1.1.4.  If you are running a
version of Riak other than 1.0.3 or 1.1.2, it will be necessary to upgrade
to 1.1.4.

Vulnerability Details

The attack is launched through a malicious website. The attack against this
vulnerability requires that the attacker have knowledge of both the IP
address (or hostname) and the port that the target Riak node is running on.
 The attack requires that the machine which visits the malicious website
has access to the Riak node, either locally or via a networked connection.
The most obvious targets for this attack would be developer installs
running default configurations.  It does not require that the target Riak
node is exposed to the Internet.

This vulnerability can result in keys being overwritten, data being
uploaded to the target's Riak node, or other malicious behavior.

Production installations that are behind a firewall and only accessible via
your application are not vulnerable.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-3586 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.

Additional information about the exploit will be released in the next few
weeks.

Mitigation

There are three ways to secure your Riak node from this exploit.

1. Upgrade to Riak 1.1.4, a security release
2. Apply a patch to a source build of Riak 1.0.3 or 1.1.2
3. Do not use a web browser on machines with network access to a Riak
installation

How to Upgrade to 1.1.4

Riak version 1.1.4 packages and source are available here:

http://basho.com/resources/downloads/

For non-development installs we recommend that you perform a rolling
upgrade.  This process is documented here:

https://help.basho.com/entries/21397673-rolling-upgrades

For development installs, please see our regular installation guides:

https://help.basho.com/entries/21460643-installation

How to Apply the Security Patch

This patch is only for Riak versions 1.0.3 and 1.1.2.  For users of all
other version, please see the directions on how to upgrade to 1.1.4.

First, download the patch to the riak/deps/riak_kv directory:

http://s3.amazonaws.com/downloads.basho.com/riak/1.1/1.1.4/164-fix.patch

Second, in the riak/deps/riak_kv directory:

patch -p1 < fix-164.patch

Third, in the top-level riak directory:

./rebar compile

Client Library Compatibility

Users of the official Python client [2] will need to upgrade to version
1.4.1 in order to continue using MapReduce over HTTP. (There will be a
separate email about this momentarily.)

**
*
*Let us know if you have any questions. *
*
Mark and the Basho Team

[1] https://github.com/basho/riak/issues/164
[2] https://github.com/basho/riak-python-client*
*
*
*
*
*
*
*
*
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20120620/6103fd00/attachment.html>


More information about the riak-users mailing list