Our serverless threat research team identified and disclosed a security weakness in Apache OpenWhisk, the leading open source serverless platform which is being used by thousands of organizations. Apache OpenWhisk is the leading open source platform for serverless computing, and there are several commercial deployments of the technology.
Based on our research, under certain conditions, a remote attacker may overwrite the source code of the serverless function (referred to as “action” in the OpenWhisk platform) being executed and influence subsequent executions of the same function in the same runtime container. An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions, which may belong to other end-users.
Apache OpenWhisk is a serverless, open source cloud platform that executes functions in response to events at any scale. OpenWhisk is a cloud-first distributed event-based programming service. It provides a programming model to upload event handlers to a cloud service, and register the handlers to respond to various events.
As part of our continuous research efforts into serverless security, our team discovered this mutability weakness in OpenWhisk and upon verifying it, reported it directly to the Apache OpenWhisk team. We were extremely pleased and impressed with the promptness of the OpenWhisk team, which took this issue very seriously.
“Upon receiving and validating the details on this weakness from PureSec, the Apache OpenWhisk team reviewed and pushed a fix which mitigates the risk for OpenWhisk users” said Rodric Rabbah, creator of Apache OpenWhisk project. “We would like to thank PureSec, their contribution to serverless security has helped to make the OpenWhisk platform more secure”
The majority of the fantastic research work on this weakness and its remediation were done by Yuri Shapira, Principal Researcher at PureSec.
You can find more detailed information about the weakness in the following links:
*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/apache_openwhisk_mutability_weakness