736050 – (CVE-2020-13151) dev-db/aerospike-server-community: Remote code execution vulnerability (CVE-2020-13151)

Bug 736050 (CVE-2020-13151) - dev-db/aerospike-server-community: Remote code execution vulnerability (CVE-2020-13151)

Summary: dev-db/aerospike-server-community: Remote code execution vulnerability (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2020-13151

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Deadline:	2021-01-17
Assignee:	Gentoo Security

URL:	https://b4ny4n.github.io/network-pent...
Whiteboard:	~1 [noglsa]
Keywords:

Duplicates (1):	758191 (view as bug list)
Depends on:
Blocks:	758191
	Show dependency tree

Reported:	2020-08-05 15:42 UTC by John Helmert III
Modified:	2021-01-19 15:44 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-08-05 15:42:01 UTC

CVE-2020-13151:

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.



Looks like all of our versions are vulnerable according to URL. Please bump, else last-rite or drop to m-n if this isn't being maintained. I see this was last touched almost two years ago by a non-maintainer due to maintainer timeout, and this package has several bugs open for years without a touch from the maintainer.

Comment 1 Michał Górny archtester

2020-12-18 08:46:10 UTC

*** Bug 758191 has been marked as a duplicate of this bug. ***

Comment 2 Larry the Git Cow gentoo-dev

2020-12-18 09:00:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef2b35a7882d32739436dec9de3283d162b8d6a

commit 3ef2b35a7882d32739436dec9de3283d162b8d6a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-18 08:47:50 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-18 09:00:05 +0000

    package.mask: Last rite dev-db/aerospike-server-community
    
    Bug: https://bugs.gentoo.org/736050
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2021-01-19 08:39:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a467253e33c4cd9d4b65cd6fb088fa69952b115

commit 7a467253e33c4cd9d4b65cd6fb088fa69952b115
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 08:37:19 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 08:39:09 +0000

    dev-db/aerospike-server-community: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/736050
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-db/aerospike-server-community/Manifest         |  1 -
 .../aerospike-server-community-4.1.0.1.ebuild      | 71 ------------------
 .../aerospike-server-community-9999.ebuild         | 84 ----------------------
 .../files/3.5.8-use-system-libs.patch              | 63 ----------------
 .../files/aerospike.conf                           | 70 ------------------
 .../files/aerospike.init                           | 53 --------------
 .../files/aerospike.logrotate                      | 10 ---
 .../files/aerospike_mesh.conf                      | 73 -------------------
 .../files/aerospike_ssd.conf                       | 68 ------------------
 dev-db/aerospike-server-community/metadata.xml     | 10 ---
 profiles/package.mask                              |  5 --
 11 files changed, 508 deletions(-)