Apache OpenWhisk CVE-2018-11757 Serverless Function Remote Code Execution Vulnerability

Bugtraq ID:	104913
Class:	Unknown
CVE:	CVE-2018-11757
Remote:	Yes
Local:	No
Published:	Jul 23 2018 12:00AM
Updated:	Jul 23 2018 12:00AM
Credit:	PureSec
Vulnerable:	Apache OpenWhisk 1.3
Not Vulnerable:	Apache OpenWhisk 1.3.1

Apache OpenWhisk CVE-2018-11757 Serverless Function Remote Code Execution Vulnerability

Apache OpenWhisk is prone to a remote code-execution vulnerability.

An attacker may exploit this issue to inject and execute arbitrary code within the context of the affected application; this may aid in further attacks.

Versions prior to Apache OpenWhisk 1.3.1 are vulnerable.

Apache OpenWhisk CVE-2018-11757 Serverless Function Remote Code Execution Vulnerability

The researcher has created a functional exploit to demonstrate the issue. Please see the references for more information.

Apache OpenWhisk CVE-2018-11757 Serverless Function Remote Code Execution Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache OpenWhisk CVE-2018-11757 Serverless Function Remote Code Execution Vulnerability

References:

• Do not allow re-init of the action exec. (Apache)
  
• #0b6d8a677f1c063ed32eb3638ef4d1a47dfba89 (Apache)
  
• Apache Homepage (Apache)
  
• PureSec Security Advisory (puresec.io)