Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2016-SV2 Share

2016-SV2 Share

Synopsis

Improper Access Control Vulnerability.

The OMERO.shares system bypasses intended security restrictions and grants elevated privileges to read otherwise-restricted data.

Background

A user can retrieve data belonging to users across all groups by using the API. The user must be able to authenticate remotely using the standard 4063 and 4064 ports and have exploit code to make use of the vulnerability.

Affected packages

OMERO.server up to and including 5.2.4.

Impact

High severity.

CVSS score 6.5 medium CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Any user is able to gain read-only access to resources that should not be accessible by creating a 'Share'.

Workaround

SQL scripts are provided for the 5.1 and 5.2 databases which:

  • delete all shares
  • disable the creation of shares

These scripts can be run against a running server with no downtime. If you are not actively using the shares functionality, this is a safe course of action. To see if your users have created any shares use:

    psql omero -c "select count(*) from share"

Users who would like to save their existing shares for a later upgrade should do so before running the "delete-and-disable" script.

Resolution

All OMERO.servers should be upgraded to at least 5.2.5. With this version, both existing and new shares do not exhibit the vulnerability. Shares now, however, only support images, as is common when creating shares from OMERO.web.

Document Actions