2022年11月15日

新闻分享这篇文章提供的新的漏洞在Spotify的后台,发现一个CNCF孵化项目特拉维夫,以色列,11月15日2022 / EINPresswire.com——大眼睛,获奖原生云应用程序安全性的提供者,今天宣布一个关键的存在新的弱点在Spotify的后台项目中,要求开发人员立即采取行动在他们的环境中。通过利用一个VM沙箱vm2逃脱通过第三方库,牛眼菊研究团队获得了能力在后台进行未经身份验证的远程代码执行的项目。牛眼菊报道通过Spotify的bug赏金计划,和Spotify迅速修补漏洞和后台发布1.5.1版本,修复这个问题。牛眼菊发表了详细的博客上的漏洞。后台统一所有基础设施工具、服务和文档创建一个流线型的开发环境。在Github上有超过19000颗恒星,它是最受欢迎的开源平台构建开发者门户网站和广泛使用Spotify,美国航空公司,Netflix, Splunk,富达投资,史诗般的游戏,帕洛阿尔托网络和许多其他人。在后台接受了原生云计算基础(CNCF) 9月8日,2020年,在孵化项目成熟度级别。“利用vm2沙箱逃脱架子工核心插件,用于在默认情况下,未经身份验证的威胁演员有能力执行任意系统命令在后台应用程序中,“尤奥斯特洛夫斯基说,软件架构师的大眼睛。这样的“关键原生云应用程序漏洞越来越普遍,关键是这些问题及时得到解决。”“我们自旋向上的每一个研究项目始于潜在的输入映射到应用程序。什么引起了我们的注意,在这种情况下后台软件模板和潜在的基于模板的攻击,“牛眼菊的研究主管丹尼尔•亚伯说。 “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.” Evaluating user-provided strings in a template engine can be dangerous since it exposes the application to such template-based attacks. The severity of an attack depends on the features the templating engine offers. In this case, the root of a template-based VM escape was able to gain JavaScript execution rights within the template. However, by using "logic-less" template engines such as Mustache, the introduction of server-side template injection vulnerabilities can be avoided. Separating the logic from the presentation as much as possible can greatly reduce exposure to the most dangerous template-based attacks. “If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.” Oxeye’s DevSecOps and AppSec solution is designed for cloud-native application security testing and risk analysis and is enriched with infrastructure layer configuration data. The Oxeye security research team leverages the context-based and multi-dimensional vulnerability analysis capabilities built into the platform to help clear the noise of false positives caused by legacy solutions, and prevent false negatives. This ensures that security teams can focus their resources on other concerns putting the organization at risk. If interested in learning more about how Oxeye can assist with cloud-native application security challenges, please visit https://www.oxeye.io/contact to contact us. Resources: ● Take a deeper dive into the vulnerability by reading the blog entry on Oxeye’s website at: https://www.oxeye.io/blog ● Follow Oxeye on Twitter at @OxeyeSecurity ● Follow Oxeye on LinkedIn at https://www.linkedin.com/company/oxeyeio/ ● Visit Oxeye online at http://www.oxeye.io About Oxeye Oxeye provides a cloud-native application security solution designed specifically for modern container and Kubernetes-based architectures. The company enables customers to quickly identify and resolve all application-layer risks as an integral part of the software development lifecycle by offering a seamless, comprehensive, and effective solution that ensures touchless assessment, focus on the exploitable risks, and actionable remediation guidance. Built for Dev and AppSec teams, Oxeye helps to shift security to the left while accelerating development cycles, reducing friction, and eliminating risks. To learn more, please visit www.oxeye.io . - END -