CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn

Severity

Major

Vendor

The Apache Software Foundation

Versions Affected

Apache Brooklyn 0.9.0 and all prior versions

Description

Apache Brooklyn’s REST server is vulnerable to cross-site request forgery (CSRF), which could permit a malicious web site to produce a link which, if clicked whilst a user is logged in to Brooklyn, would cause the server to execute the attacker’s commands as the user. There is known to be a proof-of-concept exploit using this vulnerability.

Solution

Upgrade to Apache Brooklyn 0.10.0. This includes commit 1 adding opt-in CSRF protection server-side and commit 2 where the JS client opts-in.

Temporary mitigation if you cannot upgrade to 0.10.0

Do not visit websites with possible malicious content targeted at you in the same browser instance logged in to Brooklyn unless you have CSRF-POST protection installed in the browser (see 3). Do not share a Brooklyn server with untrusted users without an enhanced entitlements scheme. Do not publicize the address of Brooklyn-based UIs. If a link you click on takes you to Brooklyn unexpectedly, contact your security team immediately.

Example exploit

Attacker puts something like this into their malicious site:

<form action="http://<Brooklyn>/v1/applications/oadP4rZU/entities/oadP4rZU/name?name=hacked" method="POST">

If the user clicks on this when logged in, the name of that entity will be changed by the attacker.

Credit

This vulnerability was discovered by Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc., and reported to JPCERT/CC who reported them to the Apache Software Foundation on his behalf.

References

  1. https://github.com/apache/brooklyn-server/pull/430
  2. https://github.com/apache/brooklyn-ui/pull/37
  3. https://en.wikipedia.org/wiki/Cross-site_request_forgery#Client_side_safeguards

Other references

JPCERT/CC JVN#55489964