icetray - Fotolia
The Apache open source community has released two patches relating to the Apache OpenWhisk platform, which have been applied by IBM Cloud and other hosted services providers, and all other users are advised to do the same.
Security firm PureSec discovered a vulnerability with a runtime container that is used to run Apache OpenWhisk functions in Python, and the Apache OpenWhisk community responded by auditing all the runtime images and found one other image for PHP functions that was also affected.
The vulnerabilities could enable an attacker to replace a company’s serverless code with malicious code. Once running, the malicious code could then be used to extract confidential customer data such as passwords or credit card numbers, modify or delete data, mine cryptocurrencies or perform a distributed denial of service (DDoS) attack, the researchers said.
OpenWhisk is the leading open source platform for serverless computing, and there are several commercial deployments of the technology, including IBM’s Cloud Functions service within IBM Cloud.
The Apache community released a security update (patch) for the vulnerabilities (CVE-2018-11756 and CVE-2018-11757) which are the first publicly disclosed vulnerabilities in a serverless platform, and all users of Apache OpenWhisk have been advised to update to the latest version immediately.
After discovering the first vulnerabilty, the PureSec researchers notified Apache and IBM privately under the security firm’s policy of responsible disclosure and detailed their findings in a security advisory.
Apache OpenWhisk executes functions in response to events with rapid auto-scaling and provides a programming model to create functions as cloud-native event handlers, executing the functions automatically, inside runtime containers, as the events occur.
The PureSec threat research team demonstrated how, under certain conditions, a remote attacker may overwrite the source code of a vulnerable function which is being executed in a runtime container, and influence subsequent executions of the same function in the same container.
An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions, such as leaking sensitive data during subsequent executions within that function, which may belong to other users.
“As part of our continuous research efforts into serverless security, our team discovered this function mutability in an OpenWhisk runtime and, upon verifying it, reported it directly to the Apache OpenWhisk team,” said Ory Segal, CTO and co-founder of PureSec. “We were extremely pleased and impressed with the promptness of the Apache OpenWhisk team, which took this issue very seriously.”
Read more about open source security
- Cryptology expert Bart Preneel says the European security industry must commit to secure communication for the masses and open source is the key to secure infrastructure.
- A study has found commercial code is more compliant than open source code with security compliance standards, such as the Owasp top 10 and the CWE top 25.
- According to researchers, malware makers have been targeting .NET since Microsoft made the software open source.
- Security researchers, Dropbox and Google have joined forces to make open source security tools easier to use.
- Shellshock and Heartbleed showed how flawed even ubiquitous open source software components can be.
Rodric Rabbah, one of the creators of Apache OpenWhisk, said the security of functions is an important tenet of serverless computing. “The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure,” he said.
According to Rabbah, all serverless developers using Apache OpenWhisk via one of the hosted services, such as IBM Cloud Functions, were patched immediately when the affected runtime was updated and rolled out. He notes that Adobe I/O Runtime, which does not offer the affected images in their service, was not impacted.
“This in itself demonstrates the benefits of the serverless model – zero overhead to developers, and zero disruption,” he wrote in a blog post.
Tim Mackey, senior technical evangelist at Black Duck by Synopsys, said the vulnerabilities demonstrate how trust of infrastructure affects the overall security of the applications being delivered.
“Whether the application is traditional, containerised or serverless, the security of the entire delivery stack must be monitored continually,” he said.
According to Mackey, as applications are decomposed into functions deployed in serverless models, the potential attack surface for these applications increases. “Each function should be considered as a distinct deliverable subject to a full security review,” he said.