affects OMERO 5 versions 5.4.6 and earlier
A remote user can determine a server's node UUID after a script is placed directly into the server's scripts directory. That UUID can then be used to log in to the server as the root
user thus providing the associated system privileges. Further, closing that login session seriously disables the server until it is restarted.
The OMERO PR #5273 describes a process to:
… establish a secret key when the server starts up, tell it to the database then, when we try to set the originalfile.repo column, have a database trigger look for that secret key prefixing originalfile.name …
OMERO.server affords considerable privilege to those who wield that secret key. The key can leak when the scripts service detects a new script because subsequently the server returns script names with that key prefix to the first user who queries the list of scripts. Use of bin/omero script list suffices to call IScript::getScripts() and trigger the leak.
This vulnerability is identified as CVE-2018-1000635.
OMERO.server from 5.4.0 to 5.4.6 inclusive.
Manage server-side scripts only via the clients, not by directly manipulating the server's filesystem.
All OMERO.servers should be upgraded to at least 5.4.7.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.11.14