Summary
A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2.
This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.
Impact
This issue may lead to Remote Code Execution (RCE)
Workaround
For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation.
Use the TypeScript browser-based "Workbench 2" application, or command line tools.
Credit
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
p- Analyst
Summary
A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2.
This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.
Impact
This issue may lead to Remote Code Execution (RCE)
Workaround
For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation.
Use the TypeScript browser-based "Workbench 2" application, or command line tools.
Credit
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).