kairosdb icon indicating copy to clipboard operation
kairosdb copied to clipboard

Published 20 hours ago verified publisher icon kairosdb

H2 Security Vulnerability

Open jsabin opened this issue 6 years ago • 2 comments

https://www.cvedetails.com/cve/CVE-2018-14335/

As of 1 Nov, 2018 there is no fix for this.

jsabin avatar Nov 01 '18 16:11 jsabin

Looking at that myself my personal opinion is that it's debatable whether that's a security vulnerability or a feature but it is behaviour that should be documented (if symlinks are followed or not).

If you look carefully at the exploit it's not one that can be done with external access. It requires access to the filesystem in the first place which kairos doesn't give. It all works through the benefit of being run on the same machine as kairos.

After reading to proof of concept, the description confirms that:

Authentication | Single system (The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).)

If you try to run that script on a machine that's not running kairos see what happens, you then realise for the exploit to work you need escalated access to begin with. Is it really an exploit in that case?

If the user by error symlinks to the wrong place then that might be an issue but that's more on the user than the database engine.

In a shared multi-user environment it might be more of a concern. It seems to be saying that the kairos backup function gives access to the filesystem as the kairos user which in some circumstances might be a problem. However, it would still require write access to the directory in question in the first place to make the symlink. It smells to me like probably not a vulnerability but user error or default perms error (not on a folder of the right owner and perms).

I can't even find in the repo here where this tools backup functionality is coming from, though there are some compressed unsearchable binaries here. It might not even relate to kairosdb.

In fact going back to the link, it says this:

Application | H2database | H2

How do this relate to KairosDB if it's an obscure error with another database product?

If you check the getting started documentation, KairosDB only intends H2 to be used for testing and development so it's only really a question of if H2 external endpoints are enabled even in a production setup where a different database might be applied or if H2 utility endpoints are exposed at all.

joeyhub avatar Mar 16 '19 14:03 joeyhub

Hey thanks for the analysis. Definitely a low priority.

brianhks avatar Mar 16 '19 14:03 brianhks