CVE-2021-28667 - Unicode Payload LoggingDiscovered Date: March 16, 2021
Severity: High
Attack Complexity: Low
Vulnerability: Composer v4.0 and earlier
Exploitation: Orchestral is not aware of any active malicious attempts to exploit the vulnerability
Resolution: Upgrade Composer to v4.1
Description:This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.
The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.
References:See the following blog post for a detailed description of the issue and resolutions.
https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/Frequently Asked Questions:Q: When should I upgrade?
A: Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.
Q: My server has Python 2 installed, not Python 3. Am I affected by this?
A: No, this only impacts servers with Python 3.
Q: Are there exploits available for this vulnerability?
A: Orchestral is not aware of any active malicious attempts to exploit the vulnerability.