CELERYSA-0001.txt 2.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. =========================================
  2. CELERYSA-0001: Celery Security Advisory
  3. =========================================
  4. :contact: security@celeryproject.org
  5. :author: Ask Solem
  6. :CVE id: CVE-2011-4356
  7. :date: 2011-11-25 04:35:00 P.M GMT
  8. Details
  9. =======
  10. :package: celery
  11. :vulnerability: privilege escalation
  12. :problem type: local
  13. :risk: medium
  14. :bug-no: Celery #544
  15. :versions-affected: 2.1, 2.2, 2.3, 2.4
  16. Description
  17. ===========
  18. The --uid and --gid arguments to the celeryd-multi,
  19. celeryd_detach, celerybeat and celeryev programs shipped
  20. with Celery versions 2.1 and later was not handled properly:
  21. only the effective user was changed, with the real id remaining
  22. unchanged.
  23. In practice for affected users the vulnerability means that malicious code
  24. loaded in the worker process would be allowed to escalate privileges.
  25. We take this issue seriously since the Pickle serializer used by
  26. default makes it possible to execute arbitrary code.
  27. We recommend that users takes steps to secure their systems so that
  28. malicious users cannot abuse the message broker to send messages,
  29. or disable the pickle serializer used in Celery so that arbitrary code
  30. execution is not possible.
  31. Patches are now available for all maintained versions (see below),
  32. and users are urged to upgrade, even if not directly
  33. affected.
  34. Systems affected
  35. ================
  36. Users of Celery versions 2.1, 2.2, 2.3, 2.4 except the recently
  37. released 2.2.8, 2.3.4 and 2.4.4, daemonizing the celery programs
  38. as the root user, using either:
  39. 1) the --uid or --gid arguments, or
  40. 2) the provided generic init scripts with the environment variables
  41. CELERYD_USER or CELERYD_GROUP defined,
  42. are affected.
  43. Users using the Debian init scripts, CentOS init scripts, OS X launchctl
  44. scripts, Supervisor, or users not starting the programs as the root user
  45. are *not* affected.
  46. Solution
  47. ========
  48. Users of the 2.4 series should upgrade to 2.4.4:
  49. * ``pip install -U celery``, or
  50. * ``easy_install -U celery``, or
  51. * http://pypi.python.org/pypi/celery/2.4.4
  52. Users of the 2.3 series should upgrade to 2.3.4:
  53. * ``pip install -U celery==2.3.4``, or
  54. * ``easy_install -U celery==2.3.4``, or
  55. * http://pypi.python.org/pypi/celery/2.3.4
  56. Users of the 2.2 series should upgrade to 2.2.8:
  57. * ``pip install -U celery==2.2.8``, or
  58. * ``easy_install -U celery==2.2.8``, or
  59. * http://pypi.python.org/pypi/celery/2.2.8
  60. The 2.1 series is no longer being maintained, so we urge users
  61. of that series to upgrade to a more recent version.
  62. Distribution package maintainers are urged to provide their users
  63. with updated packages.
  64. Please direct questions to the celery-users mailing-list:
  65. http://groups.google.com/group/celery-users/,
  66. or if you are planning to report a security issue we request that
  67. you keep the information confidential by contacting
  68. security@celeryproject.org, so that a fix can be issued as quickly as possible.
  69. Thank you!