PureSec announced today that its research team helped improve the security of the Apache OpenWhisk serverless platform. OpenWhisk is the leading open source platform for serverless computing, and there are several commercial deployments of the technology.
Apache OpenWhisk executes functions in response to events with rapid auto-scaling. It provides a programming model to create functions as cloud-native event handlers, and executes the functions automatically, inside runtime containers, as the events occur.
The PureSec threat research team demonstrated how under certain conditions, a remote attacker may overwrite the source code of a vulnerable function which is being executed in a runtime container, and influence subsequent executions of the same function in the same container. An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions within that function, which may belong to other end users.
“As part of our continuous research efforts into serverless security, our team discovered this function mutability in an OpenWhisk runtime and upon verifying it, reported it directly to the Apache OpenWhisk team,” said Ory Segal, CTO & co-founder at PureSec. “We were extremely pleased and impressed with the promptness of the Apache OpenWhisk team, which took this issue very seriously.”
PureSec also provided the Apache OpenWhisk team with a suggested fix, which mitigates the risk.
“The security of functions is an important tenet of serverless computing. The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure.” said Rodric Rabbah, one of the creators of Apache OpenWhisk.
The vulnerabilities are tracked under the following CVEs: CVE-2018-11756, CVE-2018-11757
The full details of the weakness can be found in the following research paper: