PureSec researchers discovered an action mutability weakness vulnerability in Apache OpenWhisk which could allow a remote attacker to overwrite the source code of the action being executed and influence subsequent executions of the same function in the same container.
OpenWhisk is a cloud-first distributed event-based programming service, serverless, open source cloud platform that executes functions in response to events at any scale that provides a programming model to upload event handlers to a cloud service and register the handlers to respond to the various events, according to the security advisory.
The vulnerability can be leveraged to leak sensitive action input data during subsequent executions, potentially of different end-users and to execute rogue logic in parallel to the action's original logic in subsequent executions, potentially of different end-users.
“Serverless is currently at the forefront of cloud-based computing, and while hosted OpenWhisk options, such as IBM Cloud Functions, allow businesses to share some of the security responsibility with the provider, this latest vulnerability with OpenWhisk demonstrates an even greater need for defense in depth,” Matt Chiodi, Vice President of Cloud Security at RedLock said.
“With serverless, most of the underlying platform is obscured from the user and this is a major positive from a security perspective as it means no more OS patching.”
Chiodi added that security teams now need to shift their focus to permissions, application libraries, and data security and that any type of information disclosure related to this type of vulnerability can be mitigated, to a certain extent, by limiting the permissions granted to the compromised function.
James Lerud, head of the Behavioral Research Team at Verodin wasn't too surprised by the vulnerability as OpenWhisk is a fairly new project that is under active development.
“These types of discoveries are essential to the healthy development of opensource projects. Fortunately, the vulnerability was responsibly disclosed by the Puresec Team and quickly fixed by OpenWhisk contributors,” Lerud said. “Anyone considering using a ‘serverless' architecture should fully understand and accept the security concerns involved; many traditional controls such as an IDS/IPS may not be applicable to such an architecture.”
Notified Apache of the OpenWhisk vulnerability and provided the advisory and code fix recommendations to the project. As a result, 2 CVEs were assigned to this weakness: CVE-2018-11756 and CVE-2018-11757.
Apache also recently released security updates for Apache Tomcat to address vulnerabilities that could allow A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.
Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86 were affected. These updates have since been addressed and officials recommend users apply the updates as soon as possible.