Apache Superset, the popular open-source data visualization platform, recently came under the spotlight for a couple of vulnerabilities disclosed. Naveen Sunkavally, a security researcher from Horizon3, disclosed a couple of critical vulnerabilities that put many Apache Superset deployments at risk. The two vulnerabilities identified are CVE-2023-39265 and CVE-2023-37941.
Identified the previous month, both vulnerabilities have significant attention due to their potential impact. While CVE-2023-39265 could allow attackers unauthorized access to SQLite databases, CVE-2023-37941 poses a more severe threat by enabling remote code execution. Both vulnerabilities have critical to high CVE base scores, indicating the critical nature of the flaws. If exploited, these vulnerabilities can lead to scenarios like credential theft, data breaches, and potential takeover of the Apache Superset server.
In this blog post, we will learn more about Apache Superset, its architecture, and its features. We’ll also explore the technicalities of CVE-2023-39265 and CVE-2023-37941, shedding light on how these vulnerabilities originated, their implications, and how attackers might exploit them. Lastly, we will guide you through the remediation process, ensuring you can secure your Apache Superset deployments effectively. With that said, let’s begin this post that lets you know how to fix CVE-2023-39265 and CVE-2023-37941, unauthorized SQLite access, and RCE vulnerabilities in Apache Superset.
Introducing Apache Superset and its Features
Apache Superset is an open-source data visualization and exploration platform that has rapidly grown in popularity over recent years. Developed by Airbnb and later contributed to the Apache Software Foundation, Superset provides a fast, lightweight, and intuitive interface for users to craft intricate data visualizations and derive insights from vast datasets.
The primary allure of Apache Superset lies in its robust set of features. Here are some of the capabilities of this platform:
- Dynamic and Interactive Dashboards: Superset supports the creation of visually rich dashboards that can be customized to specific business needs. These dashboards are interactive, allowing users to drill down into specific data points for deeper insights.
- SQL Lab: A feature-rich environment where users can write SQL queries, visualize results, and even create new tables or views. It’s a good playground for data analysts and engineers.
- Diverse Data Source Integration: Superset can seamlessly connect with various relational databases, including PostgreSQL, MySQL, Oracle, and many more. It can connect to any SQL-based databases, including modern cloud-native databases and engines at petabyte scale.
- Easy Data Exploration: Its drag-and-drop interface simplifies data exploration, eliminating the steep learning curve often associated with data visualization tools.
- Extensible and Customizable: Apache Superset supports plugins, allowing developers to extend its functionalities and tailor it to unique use cases.
From an architectural standpoint, Apache Superset boasts a modular design. It consists of a frontend built using React and a backend powered by Python’s Flask framework. The platform leverages the SQLAlchemy ORM for database connections, making it adaptable to various database technologies. Furthermore, Superset’s architecture is designed for scalability, ensuring it can handle large datasets and serve numerous users simultaneously.
Understanding CVE-2023-39265 & CVE-2023-37941
Horizon3 uncovered several vulnerabilities in Apache Superset, among these vulnerabilities, these three are something that needs immediate attention. The recent vulnerabilities CVE-2023-39265 and CVE-2023-37941 and another one disclosed in April this year, CVE-2023-27524, a flaw stemmed from an insecure default configuration of the Flask SECRET_KEY value that enables unauthorized attackers to gain admin access to vulnerable Apache Superset servers.
According to the researcher, the cumulative effect of all three vulnerabilities is worst at its point. CVE-2023-27524 vulnerability allows a remote attacker to gain admin access. CVE-2023-39265 allows attackers to bypass the safeguards in place to prevent SQLite connections and gain control of the metadata database. The third vulnerability, CVE-2023-37941, allows attackers to execute remote code on the vulnerable Apache Superset server.
CVE-2023-39265 and CVE-2023-37941 are two high-severity vulnerabilities connected with SQLite, an open-source SQL database engine commonly used by developers to incorporate a relational database into their applications, and Python’s pickle package, a module used for serializing and deserializing Python objects.
CVE-2023-39265 is a vulnerability that allows attackers to bypass the safeguards in place to prevent SQLite connections and gain control of the metadata database. This vulnerability arises from the fact that Superset uses SQLite as its metadata database, and the SQLite file is located on the Superset web server. An attacker can bypass the safeguards by putting in the full SQLAlchemy URI containing both the dialect and driver name like ‘sqlite+pysqlite:////path/to/database.db’. After connecting to the metadata store, an attacker can then enable it for use in SQLLab and turn on write/DML statements.
Successful connection to the database upon bypassing the safeguards by putting in the full SQLAlchemy URI containing both the dialect and driver name (Image Source: Horizon3)
CVE-2023-37941 is a vulnerability that allows attackers to execute remote code on the Superset server. This vulnerability arises from Python’s pickle package to store certain configuration data. An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store and then trigger deserialization of it, leading to remote code execution.
Apache Superset Versions Affected by CVE-2023-39265 & CVE-2023-37941
Apache Superset versions up to and including 2.1.0 are affected by the unauthorized SQLite database access flaw tracked as CVE-2023-39265. Versions 1.5 through 2.1.0 are vulnerable to the remote code execution issue via pickle deserialization, tracked as CVE-2023-37941. Both vulnerabilities are fixed in version 2.1.1.
- CVE-2023-39265: Apache Superset versions up to and including 2.1.0
- CVE-2023-37941: Apache Superset versions 1.5 to 2.1.0
How To Upgrade Apache Superset to Fix CVE-2023-39265 & CVE-2023-37941?
To address the unauthorized SQLite access and remote code execution vulnerabilities in Apache Superset, the vendor has released version 2.1.1. All users should upgrade to this latest version as soon as possible. Superset 2.1.1 prevents the SQLite metadata database from being accessed directly through SQLAlchemy URIs. It also replaces the usage of the pickle module with JSON to prevent unsafe deserialization.
For production installs, migrate to a more robust metadata database like Postgres rather than using SQLite. Review and restrict user permissions to only allow access to required functionality. Use strong secrets and rotate any credentials that may have been exposed. Restrict network access to Superset and avoid exposing it directly to the public internet if possible. Upgrading to the latest release, securing the metadata database, and limiting access are key steps to mitigate these vulnerabilities in Apache Superset deployments.
How To Upgrade Apache Superset to Fix CVE-2023-39265 & CVE-2023-37941?
Upgrading Apache Superset to the latest version, 2.1.1, is a straightforward process. The steps are as follows:
For a native Superset installation, upgrade by running
pip install apache-superset --upgrade to get the latest 2.1.1 package. Next, run
superset db upgrade to upgrade the metadata database schema. Finally, reinitialize the metadata with
pip install apache-superset --upgrade superset db upgrade superset init
Before upgrading production, it is highly recommended to first test the upgrade process in a staging environment. Also, schedule the production upgrade during off-peak hours to minimize disruption. Although upgrading Superset does not delete existing dashboards and charts, the best practice is to back up the metadata database prior to upgrading. This provides a rollback option in case of issues. After upgrading, verify the proper functioning of the Superset.
Check that dashboards and charts render as expected. Also, test any custom plugins or functionality used in your deployment. Monitor logs for any errors or warnings after upgrading. With these steps, Apache Superset can be upgraded to the latest 2.1.1 version. Proper testing and backups help ensure a smooth transition to the new release. Follow best practices for enterprise software upgrades to upgrade Superset safely and efficiently.