CELERYSA-0003.txt 1.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859
  1. =========================================
  2. CELERYSA-0003: Celery Security Advisory
  3. =========================================
  4. :contact: security@celeryproject.org
  5. :CVE id: TBA
  6. :date: 2016-12-08 05:00:00 p.m. PST
  7. Details
  8. =======
  9. :package: celery
  10. :vulnerability: Configuration Error
  11. :problem type: remote
  12. :risk: low
  13. :versions-affected: 4.0.0
  14. Description
  15. ===========
  16. The default configuration in Celery 4.0.0 allowed for deserialization
  17. of pickled messages, even if the software is configured to send
  18. messages in the JSON format.
  19. The particular configuration in question is the `accept_content` setting,
  20. which by default was set to:
  21. app.conf.accept_content = ['json', 'pickle', 'msgpack', 'yaml']
  22. The risk is still set to low considering that an attacker would require access
  23. to the message broker used to send messages to Celery workers.
  24. Systems affected
  25. ================
  26. Users of Celery version 4.0.0 with no explicit accept_content setting set.
  27. Solution
  28. ========
  29. To work around the issue you can explicitly configure the accept_content
  30. setting:
  31. app.conf.accept_content = ['json']
  32. Or you can upgrade to the Celery 4.0.1 version:
  33. $ pip install -U celery
  34. Distribution package maintainers are urged to provide their users
  35. with updated packages.
  36. Please direct questions to the celery-users mailing-list:
  37. https://groups.google.com/group/celery-users/,
  38. or if you're planning to report a new security related issue we request that
  39. you keep the information confidential by contacting
  40. security@celeryproject.org instead.
  41. Thank you!