CVE-2020-13924: Apache Ambari Arbitrary File Download Vulnerability Alert

by · Published · Updated

Apache Ambari is a software project of the Apache Software Foundation. Ambari enables system administrators to provision, manage and monitor a Hadoop cluster, and also to integrate Hadoop with the existing enterprise infrastructure. Ambari was a sub-project of Hadoop but is now a top-level project in its own right.

Recently, Apache officially announced an arbitrary file download vulnerability (CVE-2020-13924) in Apache Ambari. Ambari’s authentication module has design flaws. Malicious users can bypass authentication and construct file names to traverse directories and download files.

Vulnerability Detail

This vulnerability is mainly due to the use of “String requestURI = httpRequest.getRequestURI();” in the authentication filter (org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter):

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

@Overridepublic void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;

    String requestURI = httpRequest.getRequestURI();

    SecurityContext context = getSecurityContext();

    Authentication authentication = context.getAuthentication();

    AuditEvent auditEvent = null;
    ....
}

[/pastacode]

 

Because when the web server processes the request, when accessing a path like “/everyone-has-permission path/..;/admin-has-permission-path”, the web server will return the resource “admin-has-permission- path”,
but “httpRequest.getRequestURI()” in the filter will return the path “/everyone-has-permission-path/..;/admin-has-permission-path”, so in the following code Will result in permission to pass the match:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

@Override
  public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException {
    ...
    if (authentication == null || authentication instanceof
AnonymousAuthenticationToken) {
      ...
    }
    if (authentication == null || authentication instanceof
AnonymousAuthenticationToken ||
        !authentication.isAuthenticated()) {
      ...
    } else if (!authorizationPerformedInternally(requestURI)) {
      boolean authorized = false;

      if (requestURI.matches(API_BOOTSTRAP_PATTERN_ALL)) {
        authorized = AuthorizationHelper.isAuthorized(authentication,
            ResourceType.CLUSTER,
            null,
            EnumSet.of(RoleAuthorization.HOST_ADD_DELETE_HOSTS));
      }
      else {
        ...
      }

      ...
    }
    ...
  }

[/pastacode]

 

In fact, when I need to access the api under “/users.*”, I only need to use “/bootstrap/..;/users” to bypass certain authentication checks.

Of course, the APIs under “users.*” may require certain permissions to access, but this is just an example, which means that in this way, you will be able to bypass the authentication check to access other APIs that require authentication to access.

Affected version

  • Apache Ambari <= 2.6.2.2

Solution

The affected users are requested to upgrade to the unaffected version as soon as possible.

Tags: