NEWS
Code Review of OpenSearch
X41 performed a source code review of OpenSearch, an open-source search and analytics suite, sponsored once again by the Open Source Technology Improvement Fund. The report is being released now that the development team addressed the issues identified.
The full report can be found here:
https://x41-dsec.de/static/reports/X41-OSTIF-OpenSearch-CodeReview-2023-09-18-Public.pdf
Code Review Results
A total of two vulnerabilities were discovered during the review by X41. The first is a shell injection issue where a plugin name is included in a shell command without any escaping or filtering. However, the issue was given a low severity rating because the list of allowed plugin names is hardcoded into a plugins.txt file, which is distributed with the software. However, changing data such as the name of a plugin should ideally not result in code execution. Passing data via a method other than string concatenation, such as stdin, or applying shell escaping should resolve the issue.
The second vulnerability was found in the downloading of plugins from a third party source, which happens without verification. The source, Maven’s Central Repository, documents that “if there are no signatures, then users have no guarantee that they are downloading the original artifact.” A hash sum is downloaded and verified, but only protects against data corruption as it is downloaded from the same repository. An attacker who can modify the file can be expected to also be able to modify the file that contains the expected hash. X41 recommends to perform signature validation per Maven’s recommendation. The appropiate key for the signature could be obtained from the original developer’s website, for example.
The identification of only two low severity issues attests to the project’s good security practices. In addition, six opportunities for further hardening were identified and are detailed in the report.
Links
OpenSearch announcement:
https://opensearch.org/blog/opensearch-security-a-testament-to-our-commitment
OSTIF announcement:
https://ostif.org/opensearch-audit/
If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!