Overview

A new Remote Code Execution (RCE) vulnerability discovered in Parse Server (CVE-2022-24760 [1]).

As published by NPM Security Advisory [2], this vulnerability affects Parse Server in the default configuration with MongoDB – however, it is also likely to affect Postgres and other database backends as well.

The main weakness that leads to remote code execution is the Prototype Pollution vulnerable [3] code in the file DatabaseController.js.

It is confirmed that this vulnerability affects Linux (Ubuntu) and Windows.

About Parse Server

In case you are unfamiliar with Parse Server – this is an open-source backend that can be deployed to any infrastructure that can run Node.js.

Currently Parse Server as 35k downloads per week.

On 12/03/2022, the project committed a fix regarding the discussed vulnerability-  “fix: security vulnerability that allows remote code execution“ [4]

To prevent the JavaScript prototype pollution vulnerability, the fix includes a new security feature that scans request data for sensitive keywords.

Immediate action

Patches

Upgrade to Parse Server >=4.10.7 version.

If you’re using an alpha or beta release of parse-server 5.0.0, you’ll also need patch your version.

Workarounds

In case you cannot upgrade Parse Server to the version >=4.10.7, the project maintainers have released a quick workaround.

This fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution.

To apply the patch, add the following code (GitHub page[5]) to be executed before starting Parse Server, for example in `index.js` go to the following

How to Build a process for mitigating critical open-source vulnerabilities risk.

Software companies need to continuously monitor their software dependencies health and be ready to react to new vulnerabilities or new attacks discovered, to reduce open-source risks and damage.

Your DevSecOps process should include the following to allow you to maintain strong security posture for your Open-Source dependencies.

• Continuous monitoring: Maintain real-time visibility to the security level of your open-source package dependencies, monitor external security advisories and vulnerability databases regarding your open-source packages, making sure you are aware of any changes in their security status.

• Continuous remediation: Define and execute a plan, with the development organization, for identifying and upgrading existing open-source packages which has high-risk vulnerabilities to a safe version. On a monthly basis.

• Risk Prevention: Apply a screening/approval process to identify the use of new packages with low security confidence or suspicious behavior and prevent such new packages or versions to be part of new projects moving forward.

• Incident Response: Define and fast response process and team that will enables you to react in real time to critical vulnerabilities and attacks related to open-source packages such as the Log4j vulnerability, to minimize exposure and damage.

Following the recent attacks related to open-source vulnerabilities, this topic is now a top priority for security and development leasers. Until now many people assumed that using code scanners is the only way to handle this risk, and being very limited tool for that, assumed that such attacks are inevitable. With the new modern, purpose-built supply chain security you can now limit your exposure to vulnerable open-source packages, reducing the risks and potential damage of attacks against them.

Argon’s software supply chain security solution enforces strong security posture over your development process and enables to reduce open-source risks, get real time alerts regarding status change in your open source package security, apply the needed security guardrails to minimize your exposure from new packages and enable fast response to attacks.

Ref:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24760

[2] https://github.com/parse-community/parse-server/security/advisories

[3] https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

[4] https://github.com/parse-community/parse server/commit/e569f402b1fd8648fb0d1523b71b2a03273902a5

[5] https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm

The post Warning: New Critical Open-Source Vulnerability Discovered in Parse Server! appeared first on Argon Security - Holistic Security For Your CI/CD Pipeline.