2017-SV5 Filename Mutability 2

affects OMERO versions 5.3.3 and earlier

back to Advisories

Synopsis

A user could create an OriginalFile and adjust its path such that it now points to another user's file on the underlying filesystem, then manipulate the user's data.

Background

Security relies on the uniqueness constraint on (path, name, repo) on the originalfile table in the database. 2017-SV5 adjusts that constraint to be insensitive to certain variations in the use of "/" characters.

Affected Packages

OMERO.server up to and including 5.3.3

Impact

High severity.

CVSS score 7.6 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C/CR:M/IR:M/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:H/MA:L

Workaround

For OMERO 5.2, apply the provided SQL script to prevent the update of originalfile path and name with certain variations in the use of "/" characters:

If the script fails, then it is possible that file manipulation has taken place. Please contact security@openmicroscopy.org for help.

As always when applying a database upgrade, please take a database backup beforehand.

Resolution

All OMERO.servers should be upgraded to at least 5.3.4.


back to top