CVE-2020-9301
📋 TL;DR
This vulnerability in Spinnaker allows authenticated attackers to execute arbitrary SpEL expressions via HTTP POST requests, enabling file read/write operations within the orca container. All Spinnaker deployments prior to versions 1.23.4, 1.22.4, or 1.21.5 are affected. The attack requires authentication but can lead to container compromise.
💻 Affected Systems
- Spinnaker
📦 What is this software?
Spinnaker by Linuxfoundation
Spinnaker by Linuxfoundation
Spinnaker by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the orca container, allowing attackers to read sensitive configuration files, write malicious scripts, and potentially pivot to other containers or the host system.
Likely Case
Unauthorized file access leading to credential theft, configuration tampering, or data exfiltration from the orca container.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent unauthorized access to vulnerable endpoints.
🎯 Exploit Status
Exploitation requires authenticated HTTP POST requests to vulnerable endpoints. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.23.4, 1.22.4, or 1.21.5
Vendor Advisory: https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-006.md
Restart Required: Yes
Instructions:
1. Upgrade Spinnaker to version 1.23.4, 1.22.4, or 1.21.5. 2. Restart all Spinnaker services. 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict network access to orca service
allLimit HTTP POST requests to the orca service to trusted sources only using network ACLs or firewalls.
Implement strong authentication controls
allEnforce multi-factor authentication and strict access controls for Spinnaker users to reduce attack surface.
🧯 If You Can't Patch
- Isolate the Spinnaker deployment in a restricted network segment with no internet access.
- Implement application-level WAF rules to block suspicious POST requests containing SpEL expressions.
🔍 How to Verify
Check if Vulnerable:
Check Spinnaker version via Halyard command: 'hal version list' or inspect deployment manifests for version numbers below 1.23.4, 1.22.4, or 1.21.5.Check Version:
hal version listVerify Fix Applied:
Confirm version is 1.23.4, 1.22.4, or 1.21.5 using 'hal version list' and test that SpEL expression injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to orca endpoints with SpEL expressions in parameters
- File access errors or unexpected file operations in orca container logs
Network Indicators:
- HTTP POST requests to /orca endpoints with suspicious payloads
- Unusual outbound traffic from orca container
SIEM Query:
source="orca" AND (method="POST" AND (url_path="/api/*" OR param="expression"))