[OOD-users] Security fix in Open OnDemand patch release 1.6.22 and 1.5.7 now available

Franz, Eric efranz at osc.edu
Mon Apr 6 13:48:41 EDT 2020

We have released a 1.6.22 and 1.5.7 patch release with a security fix to a CSRF vulnerability [1] in the shell app [2].

To update from 1.6.20 to 1.6.22 or 1.5.5 to 1.5.7:

    sudo yum update ondemand

This security fix adds proper CSRF protection using both the Origin request header [3] check and a CSRF token check.

The Origin check uses X-Forwarded-Proto [4] and X-Forwarded-Host [5] that Apache mod_proxy [6] sets to build the string that is used to compare with the Origin request header the browser sends in the WebSocket upgrade request.

In some edge cases this string may not be correct, and as a result valid WebSocket connections will be denied. In this case you can either set OOD_SHELL_ORIGIN_CHECK env var to the correct https string, or disable the origin check altogether by setting OOD_SHELL_ORIGIN_CHECK=off (or any other value that does not start with “http”). This can be set in /etc/ood/config/apps/shell/env or in /etc/ood/config/nginx_stage.yml (see 1.5 docs [7] and 1.6 [8] docs on this). Either way the CSRF token will still provide protection from this vulnerability.

[1]: https://owasp.org/www-community/attacks/csrf
[2]: https://github.com/OSC/ood-shell/compare/v1.4.8...v1.5.1
[3]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
[4]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
[5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
[6]: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
[7]: https://osc.github.io/ood-documentation/release-1.5/customization_overview.html
[8]: https://osc.github.io/ood-documentation/release-1.6/customization_overview.html

Eric Franz, Gateways Lead Engineer
Ohio Supercomputer Center
An Ohio Technology Consortium (OH-TECH) Member
1224 Kinnear Road
Columbus, OH 43212
email: efranz at osc.edu

More information about the OOD-users mailing list