How to Fix CVE-2023-39265 & CVE-2023-37941- Unauthorized SQLite Access and RCE Vulnerabilities in Apache Superset?

Apache Superset, the popular open-source data visualization platform, recently came under the spotlight for a couple of vulnerabilities disclosed. Naveen Sunkavally, a security researcher from Horizon3, disclosed a couple of critical vulnerabilities that put many Apache Superset deployments at risk. The two vulnerabilities identified are CVE-2023-39265 and CVE-2023-37941.

Identified the previous month, both vulnerabilities have significant attention due to their potential impact. While CVE-2023-39265 could allow attackers unauthorized access to SQLite databases, CVE-2023-37941 poses a more severe threat by enabling remote code execution. Both vulnerabilities have critical to high CVE base scores, indicating the critical nature of the flaws. If exploited, these vulnerabilities can lead to scenarios like credential theft, data breaches, and potential takeover of the Apache Superset server.

In this blog post, we will learn more about Apache Superset, its architecture, and its features. We’ll also explore the technicalities of CVE-2023-39265 and CVE-2023-37941, shedding light on how these vulnerabilities originated, their implications, and how attackers might exploit them. Lastly, we will guide you through the remediation process, ensuring you can secure your Apache Superset deployments effectively. With that said, let’s begin this post that lets you know how to fix CVE-2023-39265 and CVE-2023-37941, unauthorized SQLite access, and RCE vulnerabilities in Apache Superset.

Introducing Apache Superset and its Features

Apache Superset is an open-source data visualization and exploration platform that has rapidly grown in popularity over recent years. Developed by Airbnb and later contributed to the Apache Software Foundation, Superset provides a fast, lightweight, and intuitive interface for users to craft intricate data visualizations and derive insights from vast datasets.

The primary allure of Apache Superset lies in its robust set of features. Here are some of the capabilities of this platform:

From an architectural standpoint, Apache Superset boasts a modular design. It consists of a frontend built using React and a backend powered by Python’s Flask framework. The platform leverages the SQLAlchemy ORM for database connections, making it adaptable to various database technologies. Furthermore, Superset’s architecture is designed for scalability, ensuring it can handle large datasets and serve numerous users simultaneously.

Understanding CVE-2023-39265 & CVE-2023-37941

Horizon3 uncovered several vulnerabilities in Apache Superset, among these vulnerabilities, these three are something that needs immediate attention. The recent vulnerabilities CVE-2023-39265 and CVE-2023-37941 and another one disclosed in April this year, CVE-2023-27524, a flaw stemmed from an insecure default configuration of the Flask SECRET_KEY value that enables unauthorized attackers to gain admin access to vulnerable Apache Superset servers.

According to the researcher, the cumulative effect of all three vulnerabilities is worst at its point. CVE-2023-27524 vulnerability allows a remote attacker to gain admin access. CVE-2023-39265 allows attackers to bypass the safeguards in place to prevent SQLite connections and gain control of the metadata database. The third vulnerability, CVE-2023-37941, allows attackers to execute remote code on the vulnerable Apache Superset server.

CVE-2023-39265 and CVE-2023-37941 are two high-severity vulnerabilities connected with SQLite, an open-source SQL database engine commonly used by developers to incorporate a relational database into their applications, and Python’s pickle package, a module used for serializing and deserializing Python objects.

CVE-2023-39265 is a vulnerability that allows attackers to bypass the safeguards in place to prevent SQLite connections and gain control of the metadata database. This vulnerability arises from the fact that Superset uses SQLite as its metadata database, and the SQLite file is located on the Superset web server. An attacker can bypass the safeguards by putting in the full SQLAlchemy URI containing both the dialect and driver name like ‘sqlite+pysqlite:////path/to/database.db’. After connecting to the metadata store, an attacker can then enable it for use in SQLLab and turn on write/DML statements.

Successful connection to the database  upon bypassing the safeguards by putting in the full SQLAlchemy URI containing both the dialect and driver name (Image Source: Horizon3)

CVE-2023-37941 is a vulnerability that allows attackers to execute remote code on the Superset server. This vulnerability arises from Python’s pickle package to store certain configuration data. An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store and then trigger deserialization of it, leading to remote code execution.

For comprehensive technical details, please visit this page.

Apache Superset Versions Affected by CVE-2023-39265 & CVE-2023-37941

Apache Superset versions up to and including 2.1.0 are affected by the unauthorized SQLite database access flaw tracked as CVE-2023-39265. Versions 1.5 through 2.1.0 are vulnerable to the remote code execution issue via pickle deserialization, tracked as CVE-2023-37941. Both vulnerabilities are fixed in version 2.1.1.

How To Upgrade Apache Superset to Fix CVE-2023-39265 & CVE-2023-37941?

To address the unauthorized SQLite access and remote code execution vulnerabilities in Apache Superset, the vendor has released version 2.1.1. All users should upgrade to this latest version as soon as possible. Superset 2.1.1 prevents the SQLite metadata database from being accessed directly through SQLAlchemy URIs. It also replaces the usage of the pickle module with JSON to prevent unsafe deserialization.

For production installs, migrate to a more robust metadata database like Postgres rather than using SQLite. Review and restrict user permissions to only allow access to required functionality. Use strong secrets and rotate any credentials that may have been exposed. Restrict network access to Superset and avoid exposing it directly to the public internet if possible. Upgrading to the latest release, securing the metadata database, and limiting access are key steps to mitigate these vulnerabilities in Apache Superset deployments.

How To Upgrade Apache Superset to Fix CVE-2023-39265 & CVE-2023-37941?

Upgrading Apache Superset to the latest version, 2.1.1, is a straightforward process. The steps are as follows:

For a native Superset installation, upgrade by running pip install apache-superset --upgrade to get the latest 2.1.1 package. Next, run superset db upgrade to upgrade the metadata database schema. Finally, reinitialize the metadata with superset init.

pip install apache-superset --upgrade

superset db upgrade

superset init

Before upgrading production, it is highly recommended to first test the upgrade process in a staging environment. Also, schedule the production upgrade during off-peak hours to minimize disruption. Although upgrading Superset does not delete existing dashboards and charts, the best practice is to back up the metadata database prior to upgrading. This provides a rollback option in case of issues. After upgrading, verify the proper functioning of the Superset.

Check that dashboards and charts render as expected. Also, test any custom plugins or functionality used in your deployment. Monitor logs for any errors or warnings after upgrading. With these steps, Apache Superset can be upgraded to the latest 2.1.1 version. Proper testing and backups help ensure a smooth transition to the new release. Follow best practices for enterprise software upgrades to upgrade Superset safely and efficiently.

We hope this post helps you know how to fix CVE-2023-39265 and CVE-2023-37941, unauthorized SQLite access, and RCE vulnerabilities in Apache Superset. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.