2017-SV4 Guest User

affects OMERO versions 5.3.4 and earlier

back to Advisories

Synopsis

Users logged in as the insecure "guest" user could make unintended remote method calls, including viewing the names of other active users and uploading files to the server's binary repository.

Background

A "guest" user is enabled by default on all OMERO systems to allow clients to request non-sensitive information on startup e.g. the current server version. A few commands failed to check for the guest user and therefore allowed user-like actions. This included current sessions requests which allowed "bin/omero sessions who" to disclose information about when other users were logged in. Additionally, "bin/omero script upload" would permit the upload of files.

A review was performed of all API methods, disabling all but the bare minimum of calls that are needed by "guest". Future versions may loosen the restriction to re-allow some minimal actions by "guest".

The fix prevents the guest user from making any omero.cmd calls or from retrieving any unnecessary services. It also prevents the guest user from creating or editing any non-system data objects, including images, files and annotations.

Note that this has also disabled the forgotten password reset functionality in OMERO.web.

Affected Packages

OMERO.server up to and including 5.3.4

Impact

High severity.

CVSS score 5.4 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:L/MA:L

Workaround

For OMERO 5.3.x it is possible to disable the guest user by setting a password for the guest user with the CLI command bin/omero user password guest (you should also review any files belonging to "guest"). If you have deployed OMERO.web, you must also add the omero.web.check_version configuration property set to false, e.g. via the CLI command: bin/omero config set omero.web.check_version false.

For OMERO 5.2.x there is no workaround as disabling the guest user will prevent users from being able to log in via OMERO.web and OMERO.insight.

Resolution

All OMERO.servers should be upgraded to at least 5.3.5.


back to top