[ZODB-Dev] CVE-2009-2701: Releases to fix ZODB ZEO server vulnerability
Jim Fulton
jim at zope.com
Tue Sep 1 06:11:05 EDT 2009
A vulnerability has been found in the Zope Object Database (ZODB) Zope
Enterprise Objects (ZEO) server implementation that allows any file
readable by the server to be read by clients and any file removable by
the server to be removed.
The vulnerability only applies if
- you are using ZEO to share a database among multiple applications or
application instances,
- you allow untrused clients to connect to your ZEO server, and
- the ZEO server is configured to support blobs.
The vulnerability was introduced in ZODB 3.8.
Overview
--------
This vulnerability is addressed by updates to ZODB.
A new release of ZODB is available here:
http://pypi.python.org/pypi/ZODB3/3.8.3
(There is also a new development release at
http://pypi.python.org/pypi/ZODB3/3.9.0c2.)
If you are using blobs, we recommend updating any ZEO storage servers
you're running to ZODB 3.8.3 (or ZODB 3.9.0c2). These versions
support ZEO clients as old as ZODB 3.2. It isn't necessary to update
client software (such as Zope application servers).
Restricting access to ZEO storage servers
-----------------------------------------
It is very important to restrict write access to ZODB databases. These
releases only protect against vulnerabilities in the ZEO network
protocol. ZODB uses Python pickles to store data. Loading data from
the database can cause arbitrary code to be executed as part of object
deserialization. Clients have full access to manipulate database
data. For this reason, it is very important that only trusted clients
be allowed to write to ZODB databases.
--
Jim Fulton
More information about the ZODB-Dev
mailing list