March 25, 2020

GHSL-2020-028: Server-Side Template Injection in Netflix Titus

Alvaro Muñoz

Summary

A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.

CVE

CVE-2020-9297

Product

Netflix Titus

Tested Version

v0.1.1-rc.263

Issues found

GHSL-2020-028 Details - Remote Code Execution - JavaEL Injection

It is possible to run arbitrary code on the server (with Titus service account privileges) by injecting arbitrary Java Expression Language (EL) expressions.

Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators such as com.netflix.titus.api.jobmanager.model.job.sanitizer.SchedulingConstraintSetValidator When building custom constraint violation error messages, it is important to understand that they support different types of interpolation, including Java EL expressions. Therefore if an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.

@Override
public boolean isValid(Container container, ConstraintValidatorContext context) {
    if (container == null) {
        return true;
    }
    Set<String> common = new HashSet<>(container.getSoftConstraints().keySet());
    common.retainAll(container.getHardConstraints().keySet());
    if (common.isEmpty()) {
        return true;
    }
    context.buildConstraintViolationWithTemplate(
            "Soft and hard constraints not unique. Shared constraints: " + common
    ).addConstraintViolation().disableDefaultConstraintViolation();
    return false;
}

We found multiple paths flowing into ConstraintValidatorContext.buildConstraintViolationWithTemplate(0).

Impact

This issue may lead to Remote Code execution

Remediation

There are different approaches to remediate the issue:

  • Do not include validated bean properties in the custom error message.
  • Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found here.
  • Disable the EL interpolation and only use ParameterMessageInterpolator:
Validator validator = Validation.byDefaultProvider()
   .configure()
   .messageInterpolator( new ParameterMessageInterpolator() )
   .buildValidatorFactory()
   .getValidator();
  • Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy

  • 02/18/2020: Report sent to Vendor via BugCrowd
  • 02/19/2020: Vulnerability acknowledged
  • 02/19/2020: Netflix acknowledged issue as P1 on secondary target. Awards $3000

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz). We would like to thank Guillaume Smet from the Hibernate Validator team for help with the remediation advice.

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.