*Hi All, * * * *Ben Murphy has notified us of a vulnerability[1] that can be executed against Riak's HTTP API. Basho immediately assigned Engineers to work with the reporter to both verify the vulnerability and to identify a patch. We have confirmed that this vulnerability affects all versions of Riak.
We are releasing both a security patch (for Riak versions 1.0.3 and 1.1.2) and a full 1.1.4 security release. We advise all users of Riak to either apply the appropriate patch or upgrade to 1.1.4. If you are running a version of Riak other than 1.0.3 or 1.1.2, it will be necessary to upgrade to 1.1.4. Vulnerability Details The attack is launched through a malicious website. The attack against this vulnerability requires that the attacker have knowledge of both the IP address (or hostname) and the port that the target Riak node is running on. The attack requires that the machine which visits the malicious website has access to the Riak node, either locally or via a networked connection. The most obvious targets for this attack would be developer installs running default configurations. It does not require that the target Riak node is exposed to the Internet. This vulnerability can result in keys being overwritten, data being uploaded to the target's Riak node, or other malicious behavior. Production installations that are behind a firewall and only accessible via your application are not vulnerable. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-3586 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Additional information about the exploit will be released in the next few weeks. Mitigation There are three ways to secure your Riak node from this exploit. 1. Upgrade to Riak 1.1.4, a security release 2. Apply a patch to a source build of Riak 1.0.3 or 1.1.2 3. Do not use a web browser on machines with network access to a Riak installation How to Upgrade to 1.1.4 Riak version 1.1.4 packages and source are available here: http://basho.com/resources/downloads/ For non-development installs we recommend that you perform a rolling upgrade. This process is documented here: https://help.basho.com/entries/21397673-rolling-upgrades For development installs, please see our regular installation guides: https://help.basho.com/entries/21460643-installation How to Apply the Security Patch This patch is only for Riak versions 1.0.3 and 1.1.2. For users of all other version, please see the directions on how to upgrade to 1.1.4. First, download the patch to the riak/deps/riak_kv directory: http://s3.amazonaws.com/downloads.basho.com/riak/1.1/1.1.4/164-fix.patch Second, in the riak/deps/riak_kv directory: patch -p1 < fix-164.patch Third, in the top-level riak directory: ./rebar compile Client Library Compatibility Users of the official Python client [2] will need to upgrade to version 1.4.1 in order to continue using MapReduce over HTTP. (There will be a separate email about this momentarily.) ** * *Let us know if you have any questions. * * Mark and the Basho Team [1] https://github.com/basho/riak/issues/164 [2] https://github.com/basho/riak-python-client* * * * * * * * * * *
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
