Apache OpenWhisk critical information leak vulnerability exposed

The security flaws allow remote attackers to underwrite source code.

Researchers have disclosed the existence of severe vulnerabilities in Apache OpenWhisk which could lead to sensitive information disclosure.

According to cybersecurity firm PureSec, the bugs are present in Apache OpenWhisk, an open-source platform for serverless computing. Commercial deployments of the technology include IBM Cloud Functions.

TechRepublic: How to keep EHRs secure and safe from cybercriminals

The vulnerabilities are described in a whitepaper documenting the research (.PDF) and are tracked under CVE-2018-11756 and CVE-2018-11757.

Apache OpenWhisk executes functions in response to events. The software utilizes rapid auto-scaling and provides a program which can be used to create functions as cloud-based native event handlers in order to execute functions automatically inside runtime containers.

See also: Venmo has no good reason to make user transactions public by default

However, under specific conditions, remote attackers are able to tamper with and overwrite the source code of a vulnerable function being executed in a runtime container.

When actions run inside OpenWhisk, the system interacts with actions through a REST interface. There are two endpoints inside each action container; init and run. If an action contains the vulnerabilities, attackers can force the action to launch a local HTTP request to init in the REST interface via port 8080.

When the request has been launched, threat actors are then able to overwrite the source code of the action -- despite the REST endpoint failing to issue a response.

The request can be forced by exploiting a remote code execution vulnerability in the action's logic, by exploiting a cross-site scripting flaw or SSRF bug in the action, or by exploiting the unsafe use of eval() in different relevant runtime languages.

A successful attack exploiting these vulnerabilities can lead to the leak of sensitive action data belonging to different end-users, and potentially, hackers would also be able to execute rogue logic in parallel and, therefore, launch subsequent attacks at the same time -- transforming one assault into a widespread and persistent cyberattack.

PureSec reported its findings to Apache OpenWhisk together with a suggested fix to mitigate the risk of compromise on 5 June. Apache OpenWhisk confirmed receipt of the report a day later.

By 3 July, pull requests were issued normalize how OpenWhisk handles init across all the runtimes in order to mitigate the problem.

"The security of functions is an important tenet of serverless computing. The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure," said Rodric Rabbah, one of the creators of Apache OpenWhisk.

CNET: Facebook, Google, Microsoft and Twitter want to make your data portable

Previous and related coverage