2022年11月15日

以色列特拉維夫，2022年11月15日/ EINPresswire.com——屢獲殊榮的雲原生應用程序安全提供商Oxeye今天宣布，Spotify的後台項目中存在一個關鍵的新漏洞，呼籲開發人員在其環境中立即采取行動。通過vm2中的第三方庫利用VM沙盒轉義，Oxeye研究團隊獲得了在後台項目中進行未經身份驗證的遠程代碼執行的能力。Oxeye通過Spotify的漏洞賞金計劃報告了這一問題，Spotify迅速修補了漏洞，並發布了後台1.5.1版本，解決了這一問題。Oxeye已經發布了一篇關於該漏洞的詳細博客。後台統一了所有基礎設施工具、服務和文檔，以創建一個簡化的開發環境。Github上有超過19,000個明星，它是最受歡迎的構建開發者門戶的開源平台之一，被Spotify、美國航空公司、Netflix、Splunk、富達投資、Epic Games、帕洛阿爾托網絡和許多其他公司廣泛使用。Backstage於2020年9月8日被雲原生計算基金會(CNCF)接受，處於孵化項目成熟度級別。Oxeye的軟件架構師Yuval Ostrovsky說:“通過利用默認使用的腳手架核心插件中的vm2沙盒轉義，未經身份驗證的威脅者有能力在後台應用程序上執行任意係統命令。”“像這樣的關鍵雲原生應用程序漏洞正變得越來越普遍，立即解決這些問題至關重要。“我們啟動的每一個研究項目都是從映射應用程序的潛在輸入開始的。”在這種情況下，引起我們注意的是後台軟件模板和基於模板的潛在攻擊，”Oxeye研究主管丹尼爾·阿貝爾斯(Daniel Abeles)說。 “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.” Evaluating user-provided strings in a template engine can be dangerous since it exposes the application to such template-based attacks. The severity of an attack depends on the features the templating engine offers. In this case, the root of a template-based VM escape was able to gain JavaScript execution rights within the template. However, by using "logic-less" template engines such as Mustache, the introduction of server-side template injection vulnerabilities can be avoided. Separating the logic from the presentation as much as possible can greatly reduce exposure to the most dangerous template-based attacks. “If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.” Oxeye’s DevSecOps and AppSec solution is designed for cloud-native application security testing and risk analysis and is enriched with infrastructure layer configuration data. The Oxeye security research team leverages the context-based and multi-dimensional vulnerability analysis capabilities built into the platform to help clear the noise of false positives caused by legacy solutions, and prevent false negatives. This ensures that security teams can focus their resources on other concerns putting the organization at risk. If interested in learning more about how Oxeye can assist with cloud-native application security challenges, please visit https://www.oxeye.io/contact to contact us. Resources: ● Take a deeper dive into the vulnerability by reading the blog entry on Oxeye’s website at: https://www.oxeye.io/blog ● Follow Oxeye on Twitter at @OxeyeSecurity ● Follow Oxeye on LinkedIn at https://www.linkedin.com/company/oxeyeio/ ● Visit Oxeye online at http://www.oxeye.io About Oxeye Oxeye provides a cloud-native application security solution designed specifically for modern container and Kubernetes-based architectures. The company enables customers to quickly identify and resolve all application-layer risks as an integral part of the software development lifecycle by offering a seamless, comprehensive, and effective solution that ensures touchless assessment, focus on the exploitable risks, and actionable remediation guidance. Built for Dev and AppSec teams, Oxeye helps to shift security to the left while accelerating development cycles, reducing friction, and eliminating risks. To learn more, please visit www.oxeye.io . - END -