ghsa-5fqv-mpj8-h7gm
Vulnerability from github
Published
2023-03-01 18:05
Modified
2024-09-30 19:44
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Lemur subject to insecure random generation
Details

Overview

Lemur was using insecure random generation for its example configuration file, as well as for some utilities.

Impact

The potentially affected generated items include:

| Configuration item | Config option name (if applicable) | Documentation link (if applicable) | Rotation option | Code reference(s) | | ----------- | ----------- | ----------- | ----------- |----------- | | Flask session secret | SECRET_KEY | Flask documentation | Generate a new secret and place in config; all existing sessions will be invalidated | N/A, internal to Flask | | Lemur token secret | LEMUR_TOKEN_SECRET | Lemur's configuration documentation | Generate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys) | 1, 2 | | Lemur database encryption key | LEMUR_ENCRYPTION_KEYS | Lemur's configuration documentation | A new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process | 1 | | OAuth2 state token secret key | OAUTH_STATE_TOKEN_SECRET | Lemur's configuration documentation | Generate a new secret and place in config | 1 | | Randomly generated passphrases for openssl keystores | N/A, generated at runtime but persisted |N/A | Re-export all openssl keystores and replace them wherever they're in use | 1 | | Initial password for LDAP users | N/A, generated at runtime but persisted | N/A | N/A, cannot be rotated | 1 | | Initial password for Ping/OAuth2 users | N/A, generated at runtime but persisted |N/A | N/A, cannot be rotated | 1 | | Oauth2 nonce | N/A, short-lived runtime secret |N/A | N/A, rotation is not required (these are short-lived) | 1 | | Verisign certificate enrollment challenges | N/A, short-lived runtime secret | N/A | N/A, rotation is not required (these are short-lived) | 1 |

If your deployment of Lemur is using any of the above config secrets that were generated by Lemur's example config (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets.

For general information and guidance on Lemur secret configuration, see Lemur's configuration documentation, which includes information on many of the configuration options listed above.

*For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn't have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won't be used).

Patches

The patch is available in v1.3.2.

Workarounds

No workarounds are available.

References

N/A

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lemur"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-01T18:05:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Overview\nLemur was using insecure random generation for its example configuration file, as well as for some utilities.\n\n### Impact\nThe potentially affected generated items include:\n\n| Configuration item      | Config option name (if applicable) | Documentation link (if applicable) | Rotation option | Code reference(s) |\n| ----------- | ----------- | ----------- | ----------- |----------- |\n| Flask session secret      | `SECRET_KEY`       | [Flask documentation](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY) | Generate a new secret and place in config; all existing sessions will be invalidated | N/A, internal to Flask |\n| Lemur token secret | `LEMUR_TOKEN_SECRET` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | Generate a new secret and place in config; all existing JWTs will be invalidated and must be regenerated (including API keys) | [1](https://github.com/Netflix/lemur/blob/1b61194a936240103f3c23299f9512c2b7e0fd36/lemur/auth/service.py#L79), [2](https://github.com/Netflix/lemur/blob/1b61194a936240103f3c23299f9512c2b7e0fd36/lemur/auth/service.py#L105) |\n| Lemur database encryption key | `LEMUR_ENCRYPTION_KEYS` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | A new key can be generated and added to this list, but existing data encrypted with prior keys cannot be re-encrypted unless you write a custom re-encryption process | [1](https://github.com/Netflix/lemur/blob/3783fbeaa1645bbee022827f4f53ffb12dd65a61/lemur/utils.py#L58) |\n| OAuth2 state token secret key | `OAUTH_STATE_TOKEN_SECRET` | [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration) | Generate a new secret and place in config | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L267) |\n| Randomly generated passphrases for openssl keystores | N/A, generated at runtime but persisted |N/A | Re-export all openssl keystores and replace them wherever they\u0027re in use | [1](https://github.com/Netflix/lemur/blob/2603776e5c0ac25fa0103ff1357dea391d880160/lemur/plugins/lemur_openssl/plugin.py#L129) |\n| Initial password for LDAP users | N/A, generated at runtime but persisted | N/A | N/A, cannot be rotated* | [1](https://github.com/Netflix/lemur/blob/3783fbeaa1645bbee022827f4f53ffb12dd65a61/lemur/auth/ldap.py#L66) |\n| Initial password for Ping/OAuth2 users | N/A, generated at runtime but persisted |N/A | N/A, cannot be rotated* | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L234) |\n| Oauth2 nonce | N/A, short-lived runtime secret |N/A | N/A, rotation is not required (these are short-lived) | [1](https://github.com/Netflix/lemur/blob/4b03baaf5544f167e78055bab15a903b1badf22b/lemur/auth/views.py#L668) |\n| Verisign certificate enrollment challenges | N/A, short-lived runtime secret | N/A | N/A, rotation is not required (these are short-lived) | [1](https://github.com/Netflix/lemur/blob/d4af5af99cd51016579f015d79df649c68a6ad15/lemur/plugins/lemur_verisign/plugin.py#L107) |\n\nIf your deployment of Lemur is using any of the above config secrets that were _generated by Lemur\u0027s example config_ (i.e., generated using insecure randomness), you should rotate those config secrets. If you generated your config secrets in a more secure way, they are not known to be compromised, but you should still upgrade Lemur to ensure that you receive code fixes for the runtime-generated secrets.\n\nFor general information and guidance on Lemur secret configuration, see [Lemur\u0027s configuration documentation](https://lemur.readthedocs.io/en/latest/administration.html#configuration), which includes information on many of the configuration options listed above.\n\n*For the user passwords: Even though these users are configured to use SSO, they do get generated with valid database passwords that can be used to log in. Since Lemur doesn\u0027t have an option to change passwords (#3888), one option for rotating them would be to directly modify the value in the database to some other unguessable string (you do not need to know the plaintext password since it won\u0027t be used).\n\n### Patches\nThe patch is available in v1.3.2.\n\n### Workarounds\nNo workarounds are available.\n\n### References\nN/A",
  "id": "GHSA-5fqv-mpj8-h7gm",
  "modified": "2024-09-30T19:44:46Z",
  "published": "2023-03-01T18:05:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/issues/3888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Netflix/lemur"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lemur/PYSEC-2023-20.yaml"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Lemur subject to insecure random generation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.