Описание
Skipper is vulnerable to arbitrary code execution through lua filters
Impact
Arbitrary code execution through lua filters.
The default skipper configuration before v0.23 was -lua-sources=inline,file.
The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets.
Kubernetes example (vulnerability is not limited to Kubernetes)
Patches
https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default.
Workarounds
You can reduce support of how you can pass lua filter script data by providing config for lua sources https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources. For example -lua-sources=file will only be exploitable if the attacker can create a lua script file on the target system.
References
https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources
Пакеты
github.com/zalando/skipper
< 0.23.0
0.23.0
Связанные уязвимости
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.