CVE-2023-46302: Critical Apache Submarine RCE Vulnerability
A critical remote code execution (RCE) vulnerability, designated as CVE-2023-46302, has been discovered in Apache Submarine, an end-to-end machine learning (ML) platform. This vulnerability, stemming from a security flaw in snakeyaml (CVE-2022-1471), poses a severe threat to Apache Submarine users, allowing attackers to execute arbitrary code on vulnerable systems.
Apache Submarine utilizes JAXRS to define its REST endpoints, essential for handling the various requests and responses within the platform. To process YAML requests specifically (identified by the application/yaml content type), it employs a YamlEntityProvider entity provider. The crux of the vulnerability lay in the readFrom method, a function designed to unmarshal incoming YAML requests. This process occurs in submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java, where the entityStream containing user-supplied data is passed.
In response to this critical security threat, the Apache Submarine team has taken decisive action. The resolution came in the form of a version update. The problematic component, snakeyaml, was replaced with jackson-dataformat-yaml in the new version, effectively sealing the breach.
The CVE-2023-46302 vulnerability affects Apache Submarine versions 0.7.0 through 0.7.2. To address this critical security issue, users are strongly advised to upgrade to version 0.8.0, which encapsulates the necessary fix. However, for those unable or unwilling to immediately upgrade to the latest version, there is an alternative. Users can manually cherry-pick the pertinent Pull Request (PR) and rebuild their submart-server image. This workaround offers a temporary fix to the vulnerability, allowing users to continue their machine-learning endeavors with an added layer of security.