An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the user under which Galaxy is running.
Impact
This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware.
| Deployment Method |
Version |
Vulnerable |
| Galaxy Ansible Roles |
* |
Safe |
* + nginx |
* |
Partially vulnerable, file read is contained to lib/galaxy/webapps/base/ and its subdirectories (which include static which is already exposed intentionally, and templates which was not.) |
* + apache |
* |
Safe |
| run.sh + nginx |
* |
Safe |
| run.sh directly exposed |
<22.01 |
Safe |
| run.sh directly exposed |
>=22.01 |
Vulnerable |
Patches
A patch can be found at:
https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1
or:
curl https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
Workarounds
You must patch with this patch to prevent this vulnerability, if you are in one of the vulnerable configurations.
Ghepardo Analyst
An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the user under which Galaxy is running.
Impact
This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware.
*+ nginxlib/galaxy/webapps/base/and its subdirectories (which includestaticwhich is already exposed intentionally, andtemplateswhich was not.)*+ apachePatches
A patch can be found at:
https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1or:
curl https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
Workarounds
You must patch with this patch to prevent this vulnerability, if you are in one of the vulnerable configurations.