CVE-2021-28667 - Unicode Payload LoggingDiscovered Date:
March 16, 2021Severity:
Composer v4.0 and earlierExploitation:
Orchestral is not aware of any active malicious attempts to exploit the vulnerabilityResolution:
Upgrade Composer to v4.1Description:
This vulnerability was discovered in the underlying StackStorm v3.4.1 open-source software by StackStorm developers and affects Composer v4.0 and earlier.
The issue affects anyone who is running Composer under Python 3 and does not have a system locale / encoding which is used for StackStorm service processes (st2api, st2actionrunner, etc.) set to UTF-8. Under such conditions, if the system receives a payload with unicode characters which also results in the payload being logged, Composer process would go into an infinite-loop trying to decode that payload. This would cause the affected service to have a high CPU utilization and also service log file to grow either until the process is killed or all the available disk space is exhausted.References:
See the following blog post for a detailed description of the issue and resolutions.https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/Frequently Asked Questions:Q:
When should I upgrade?A:
Customers should upgrade as soon as practical. Composer servers are not generally accessible by external malicious actors, so exposure may be limited. However, this could be exploited by a malicious actor that has direct access to the Composer server.Q:
My server has Python 2 installed, not Python 3. Am I affected by this?A:
No, this only impacts servers with Python 3.Q:
Are there exploits available for this vulnerability?A:
Orchestral is not aware of any active malicious attempts to exploit the vulnerability.