Detector for MinIO cluster information disclosure (CVE-2023-28432) #308
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @h0ng10 ! Please run https://github.com/google/google-java-format against your Java files before starting the code review, this would greatly reduce review overhead due to linter errors. Thanks! 🙂 |
copybara-service bot
pushed a commit
that referenced
this pull request
Dec 18, 2023
-- a0ffc86 by Hans-Martin Münch <[email protected]>: Adding detector -- 9899c36 by Nghi Tran <[email protected]>: Update README.md -- a4a716b by Nghi Tran <[email protected]>: Lint Cve202328432VulnDetector.java -- 26be682 by Nghi Tran <[email protected]>: Http Lint Cve202328432VulnDetector.java -- 6e3aa04 by Nghi Tran <[email protected]>: Lint S3Escaper.java -- 8a2d8f5 by Nghi Tran <[email protected]>: Lint Digest.java -- 129ca1d by Nghi Tran <[email protected]>: Remove typo Cve202328432VulnDetector.java -- 25a56c2 by Nghi Tran <[email protected]>: Update Cve202328432VulnDetector.java -- c56a1b8 by Nghi Tran <[email protected]>: Update Cve202328432VulnDetector.java -- e349d99 by Nghi Tran <[email protected]>: Lint failedAuthResponse.xml -- 43ce5e0 by Nghi Tran <[email protected]>: Lint successfulAuthResponse.xml -- b6db708 by Nghi Tran <[email protected]>: Lint blockedNotify.xml -- 6a87856 by Nghi Tran <[email protected]>: Custom service filtering -- d695353 by Nghi Tran <[email protected]>: Change return type Digest.java -- 7eb2df4 by Nghi Tran <[email protected]>: Delete unused S3Escaper.java -- b5ba278 by Nghi Tran <[email protected]>: Linter Signer.java -- 059a8e4 by Nghi Tran <[email protected]>: Linter of using Default ZoneOffset Time.java -- 5b80c3f by Nghi Tran <[email protected]>: Lint blockedNotify.xml COPYBARA_INTEGRATE_REVIEW=#308 from h0ng10:minio_cv2023_28432 5b80c3f PiperOrigin-RevId: 592008849 Change-Id: I4e64edfda8870d5628a2a541519697b7c1f795b2
copybara-service bot
pushed a commit
that referenced
this pull request
Dec 20, 2023
PiperOrigin-RevId: 592368952 Change-Id: Iaa183e5d75793594bf4ac25561c2c10150dc902c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This detector checks for CVE-2023-28432, a Information Disclosure Vulnerability in MinIO Cluster deployments. It confirms that the leaked credentials are actually working by performing an authentication request.
The plugin also checks for cluster instances were no key/secret is set and the default credentials (minioadmin:minioadmin) are used.
The following cases are detected:
Fixed instance with default credentials
Vulnerable instance with default credentials (no environment variable set)
Vulnerable instance with (deprecated) MINIO_ACCESS_KEY environment variable
Vulnerable instance with MINIO_ROOT_PASSWORD environment variable
Docker compose files for each case can be found here.
For authentication, this plugin uses code from the MinIO Java SDK, which is licensed under Apache 2.0 license. The code has been minimized and adjusted to work with Tsunamis own httpclient instead of okhttp.
PRP request: #291