Impact
It is possible to inject scripts from accepted or pending nodes, through remote run output, and some inventory data (namely the OS name and installed software list).
Other script injections are also possible with content written by Rudder users (rules tags), potentially allowing privilege escalation.
Patches
All Rudder versions are affected. The fixes are published on 2022/07/26 in:
Workarounds
Warning: This will prevent receiving any inventories from the accepted and pending nodes, so it disables inventories updates, and nodes acceptations. It will also prevent remote run of the agents triggered from the Rudder server
Add:
# To disable inventory reception
<Location /inventory-updates>
Require all denied
</Location>
<Location /inventories>
Require all denied
</Location>
# To disable remote-run, and prevent users from trigerring it
<Location /rudder/relay-api/remote-run>
Require all denied
</Location>
At the end of /opt/rudder/etc/rudder-apache-relay-ssl.conf on your Rudder server, then reload the apache2 or httpd service. This will be automatically overwritten at the next server update (which will contain the fix), there will be nothing to do.
To check the change is in place, you can try to trigger an agent run in the Compliance details tab of a node. You should get a message like:
Error occured when contacting internal remote-run API to apply classes on Node 'NODEID': (HTTP code 403)
References
Impact
It is possible to inject scripts from accepted or pending nodes, through remote run output, and some inventory data (namely the OS name and installed software list).
Other script injections are also possible with content written by Rudder users (rules tags), potentially allowing privilege escalation.
Patches
All Rudder versions are affected. The fixes are published on 2022/07/26 in:
Workarounds
Warning: This will prevent receiving any inventories from the accepted and pending nodes, so it disables inventories updates, and nodes acceptations. It will also prevent remote run of the agents triggered from the Rudder serverAdd:
At the end of
/opt/rudder/etc/rudder-apache-relay-ssl.confon your Rudder server, then reload the apache2 or httpd service. This will be automatically overwritten at the next server update (which will contain the fix), there will be nothing to do.To check the change is in place, you can try to trigger an agent run in the Compliance details tab of a node. You should get a message like:
Error occured when contacting internal remote-run API to apply classes on Node 'NODEID': (HTTP code 403)References