Home Explore Help
Sign In
yangck
/
celery
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 86e7eed314
Branches Tags
celery
/
docs
/
sec
/
CELERYSA-0001.txt

CELERYSA-0001.txt 2.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 
  1. =========================================
    2. 

  2.  CELERYSA-0001: Celery Security Advisory
    3. 

  3. =========================================
    4. 

  4. :contact: security@celeryproject.org
    5. 

  5. :author: Ask Solem
    6. 

  6. :CVE id: CVE-2011-4356
    7. 

  7. :date: 2011-11-25 04:35:00 p.m. GMT
    8. 

  8. 

  9. Details
    10. 

  10. =======
    11. 

  11. 

  12. :package: celery
    13. 

  13. :vulnerability: privilege escalation
    14. 

  14. :problem type: local
    15. 

  15. :risk: medium
    16. 

  16. :bug-no: Celery #544
    17. 

  17. :versions-affected: 2.1, 2.2, 2.3, 2.4
    18. 

  18. 

  19. Description
    20. 

  20. ===========
    21. 

  21. 

  22. The --uid and --gid arguments to the celeryd-multi,
    23. 

  23. celeryd_detach, celerybeat and celeryev programs shipped
    24. 

  24. with Celery versions 2.1 and later wasn't handled properly:
    25. 

  25. only the effective user was changed, with the real id remaining
    26. 

  26. unchanged.
    27. 

  27. 

  28. In practice for affected users the vulnerability means that malicious code
    29. 

  29. loaded in the worker process would be allowed to escalate privileges.
    30. 

  30. 

  31. We take this issue seriously since the Pickle serializer used by
    32. 

  32. default makes it possible to execute arbitrary code.
    33. 

  33. 

  34. We recommend that users takes steps to secure their systems so that
    35. 

  35. malicious users cannot abuse the message broker to send messages,
    36. 

  36. or disable the pickle serializer used in Celery so that arbitrary code
    37. 

  37. execution isn't possible.
    38. 

  38. 

  39. Patches are now available for all maintained versions (see below),
    40. 

  40. and users are urged to upgrade, even if not directly
    41. 

  41. affected.
    42. 

  42. 

  43. Systems affected
    44. 

  44. ================
    45. 

  45. 

  46. Users of Celery versions 2.1, 2.2, 2.3, 2.4; except the recently
    47. 

  47. released 2.2.8, 2.3.4, and 2.4.4, daemonizing the Celery programs
    48. 

  48. as the root user, using either:
    49. 

  49.     1) the --uid or --gid arguments, or
    50. 

  50.     2) the provided generic init-scripts with the environment variables
    51. 

  51.        CELERYD_USER or CELERYD_GROUP defined,
    52. 

  52. are affected.
    53. 

  53. 

  54. Users using the Debian init-scripts, CentOS init-scripts, macOS launchctl
    55. 

  55. scripts, Supervisor, or users not starting the programs as the root user
    56. 

  56. are *not* affected.
    57. 

  57. 

  58. Solution
    59. 

  59. ========
    60. 

  60. 

  61. Users of the 2.4 series should upgrade to 2.4.4:
    62. 

  62. 

  63.     * ``pip install -U celery``, or
    64. 

  64.     * ``easy_install -U celery``, or
    65. 

  65.     * http://pypi.python.org/pypi/celery/2.4.4
    66. 

  66. 

  67. Users of the 2.3 series should upgrade to 2.3.4:
    68. 

  68. 

  69.     * ``pip install -U celery==2.3.4``, or
    70. 

  70.     * ``easy_install -U celery==2.3.4``, or
    71. 

  71.     * http://pypi.python.org/pypi/celery/2.3.4
    72. 

  72. 

  73. Users of the 2.2 series should upgrade to 2.2.8:
    74. 

  74. 

  75.     * ``pip install -U celery==2.2.8``, or
    76. 

  76.     * ``easy_install -U celery==2.2.8``, or
    77. 

  77.     * http://pypi.python.org/pypi/celery/2.2.8
    78. 

  78. 

  79. The 2.1 series is no longer being maintained, so we urge users
    80. 

  80. of that series to upgrade to a more recent version.
    81. 

  81. 

  82. Distribution package maintainers are urged to provide their users
    83. 

  83. with updated packages.
    84. 

  84. 

  85. 

  86. Please direct questions to the celery-users mailing-list:
    87. 

  87. http://groups.google.com/group/celery-users/,
    88. 

  88. 

  89. or if you're planning to report a security issue we request that
    90. 

  90. you keep the information confidential by contacting
    91. 

  91. security@celeryproject.org, so that a fix can be issued as quickly as possible.
    92. 

  92. 

  93. Thank you!
    94.