Discourse Vulnerability CVE-2021-41163

sarahann · October 29, 2021, 12:28am

Hey all,

I was recently made aware of this security vulnerability in Discourse NVD - CVE-2021-41163 (nist.gov)

I was curious because its on the /webhooks/aws url, is Discourse in Azure affected by this as well?

Falco · October 29, 2021, 4:18am

Every instance is affected (if not patched) no matter where you host it.

sarahann · October 29, 2021, 6:46pm

Hey @Falco thanks for the speedy reply!

I am not a ruby expert but I thought that this line of code would prevent the execution of the vulnerable bit on Azure as it would evaluate to false?? Please do correct me here cause I don’t know ruby.

Also, as a complete band-aid solution and NOT RECCOMENDED as upgrading is 100% the best solution. Could you edit the nginx file in order to temporarily fix this until upgrading?
Like this:

ssh to machine
cd /var/discourse
./launcher enter app
cd /etc/nginx/conf.d/
edit discourse.conf
add:

location ~* /webhooks/aws {
    deny all;
}

sv restart nginx

I have every intention of upgrading, and soon. But I’ll need about a week to organize things for our live environment and would like to be secure in the meantime.

Falco · October 29, 2021, 7:20pm

That line will execute anyway, as that parameter is user input.

sarahann:

Also, as a complete band-aid solution and NOT RECCOMENDED as upgrading is 100% the best solution. Could you edit the nginx file in order to temporarily fix this until upgrading?
Like this:

ssh to machine

cd /var/discourse

./launcher enter app

cd /etc/nginx/conf.d/

edit discourse.conf

add:
location ~* /webhooks/aws {
    deny all;
}
sv restart nginx

That may work, but as you stated is a band-aid. Rebuilding will remove the fix, and be very careful testing as nginx config is very tricky to get right.

awslabspl · October 29, 2021, 9:19pm

Based on the insight of our security team, this is not Discourse bug. This bug is in our SNS messages distribution system ( MDS ) ( cannot go into much details here ) meaning it will affect every package that uses / make use of SNS service.

michaeld · October 29, 2021, 9:29pm

Yes, the problem is indeed caused by an upstream issue in the aws-sdk-sns gem. But it is important to realize that - since Discourse uses this gem and exposes the bug to the world - every Discourse instance is vulnerable even when it does not actually use the AWS SNS service.

So while it is not a “Discourse bug” it is a “security vulnerability in Discourse”.

valsha · October 30, 2021, 8:59am

is this vulnerability fixed? thank you.

HAWK · October 30, 2021, 9:08am

Yes, but you need to ensure that you’ve applied the patch. Read the topic.

valsha · October 30, 2021, 9:14am

a simple

launcher rebuild app

will not help to fix this vulnerability?

david · October 30, 2021, 10:23am

./launcher rebuild app will apply the latest updates to your Discourse instance, and will include the patch for this issue

Official information can be found at RCE via malicious SNS subscription payload · Advisory · discourse/discourse · GitHub

awslabspl · October 30, 2021, 6:06pm

Sounds better

system · November 29, 2021, 6:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Discourse upgrade via Web UI Fails & SSH Upgrade Brings Down Discourse Instance Installation	17	1791	November 26, 2021
Discourse + Web Application Firewall (WAF) mod_security Hosting unsupported-install	8	3439	November 20, 2019
./launcher rebuild app fails hard 'bundle exec rake db:migrate' possible issue with github/master repo removal of auth/oath2_authenticator Installation	6	1872	May 21, 2022
How to run Discourse in Apache vhost, not Nginx Installation unsupported-install	30	2254	August 14, 2023
Problem setup on AWS: EC2, RDS, ElastiCache Installation unsupported-install	3	2448	June 8, 2024

Discourse Vulnerability CVE-2021-41163

Related Topics