Tell HN: Upgrade your Metabase installation (opens in new tab)

(github.com)

208 pointszhoutong2y ago72 comments

72 comments

One of the better decisions we took at my firm was to not allow direct access to any production DB to analytics visualization tools like Metabase and Redash.

Always write your analytics data to a separate DB in a periodically run job. Only store aggregated anonymized data in the analytics DB you expose to internal stakeholders via tools like Metabase.

jimmytucson2y ago

Also your production database is optimized for different workloads than your analytics database.

Usually production is used for fetching and updating a small number of records at a time (think updating a shopping cart), and has strict latency requirements whereas analytics involves reading a large amount of data in columns (think count group by one or two columns), and can be done in batches where the results can get a more and more stale until the next batch runs.

bingemaker2y ago

How do you batch write the results (say updating shopping carts) when frontend has to reflect whats in the database?

1 more reply

namaria2y ago

That's a great idea and it articulates something I have thought about the whole "use boring tech" things (which I support). It doesn't preclude letting people use the shiny new thing. You can always let them plug it in and use it. But the core of the system should be as simple as possible and based on thoroughly understood tech (from the point of view of the team in question/accessible labor market).

nucleardog2y ago

I tend to discuss things in terms of the trunk, branch, and leaves.

Mostly in that the leaves of your system (parts that nothing else connects to or builds on) are generally a low risk place to try new things sometimes. If you do run into any intractable issues, it’s also an easy spot to pluck it off and replace it.

nneonneo2y ago

Worth pointing out that we recently discovered an RCE in RestrictedPython that affects Redash: https://github.com/zopefoundation/RestrictedPython/security/...

This should further emphasize the need to isolate these tools and ensure they are only accessible to people who need them.

98codes2y ago

Exactly right -- we do all of that, and even then tightly control and audit who has access to the anonymized, aggregated, read-only data cube.

MattJ1002y ago

What kind of tooling do you/people use for that? Or just custom scripts?

appplication2y ago

Look up OLTP vs OLAP data stores to get an idea. There are a lot of common patterns for the specifics of implementing this. Usually you run a regularly scheduled job that dumps data representing some time period (e.g. daily jobs). There are some considerations for late arriving data, which is a classic DE interview question, but for the most part, big nightly dumps of the last day’s data/transactions/snapshots to date-partitioned columnar stores using an orchestration engine like Airflow is sufficient for 99% of use cases.

1 more reply

mh-2y ago

(not the person you're replying to)

I can't recommend any specific tools without knowing a lot about the environment, but if you're looking for terms to google: ELT (Extract, Load, Transform) and CDC (Change Data Capture) will give you a sense of the landscape.

edit: the sibling comment that mentions Airflow is a good answer for an example of an ELT workflow.

pbreit2y ago

Don't Maria, Postgres, etc make replication pretty easy?

lecha2y ago

How many of you have received this notice via an official security advisory channel you're monitoring/acting on? If so, which advisory service do you use and how you configure it? Learning about HN is useful, but far from a reliable solution.

swe_dima2y ago

I am subsribed to their Github releases and when I saw a release for every old version I knew what's up :-)

rudasn2y ago

Yeah I do the same for projects I use. I also received an email but don't remember if I also signed up to their newsletters or something like that.

Mandatum2y ago

Saw it on HN.

not_your_vase2y ago

It is definitely not announced on Full Disclosure nor on oss-security mailing lists.

worthless-trash2y ago

Doesn't look like there is a CVE either: https://www.cvedetails.com/vulnerability-list/vendor_id-1947...

1 more reply

xctr942y ago

I got an email directly from Metabase.

exabrial2y ago

I think it's important to review the term "Zero Trust" because so many companies are getting it wrong.

Zero Trust does not mean: "No mor VPNs and private IP network ranges, everything is public. ::elitist hipster noises::"

Zero Trust simply means: "Just _because_ you're on a private network [or coming from a known ip], doesn't mean you're authenticated."

You should have every single one of your internal network services (like Metabase) behind a VPN like Wireguard or numerous other options. The sole purpose of this is to reduce your firewall log noise to a manageable level that can be reviewed by hand if necessary.

Obviously this isn't perfect security, but that's the _entire_ point: every security researcher says security should be an onion, not a glass sphere; many layers of independent security.

kevincox2y ago

This is why I try to put everything behind NGINX with basic auth. Unfortunately not everything works well that way but in this case I suspect that this is made unexploitable by anyone without the password.

tedeh2y ago

Ha, I was just about to go in here and say the same thing.

"Fortunately" some "white hat" hacker contacted us last year about another Metabase exploit. I gave him a 30 USD tip and ended up doing exactly what you are suggesting.

Now I'm glad that means I don't need to interrupt my vacation to fix this thing right now.

fuomag92y ago

Here in Italy you get lucky if the company is not suing you :(

1 more reply

vdfs2y ago

Hmm, I was thinking that's a standard thing, atleast in HN crowd. basic setup Cloudflare -> Nginx -> Docker -> 3rd Party app, all on a dedicated vm

tlrobinson2y ago

You can also setup some reverse proxies to auth with SSO like Google. I use Traefik + https://github.com/thomseddon/traefik-forward-auth for personal projects, even on my local network.

square_usual2y ago

I like NGINX, but I prefer how simple it is to set up Caddy with basic auth. Caddy is already simpler to configure (and has automatic SSL via Let's Encrypt), but it's so simple to get its basic directive working compared to NGINX that I do it by default now.

lomereiter2y ago

Better yet, oauth2-proxy in case of an organization: only admins need to know the secrets, every user simply uses SSO to get access.

nullcipher2y ago

or vpn

riadsila2y ago

For more context: https://www.metabase.com/blog/security-advisory

vxNsr2y ago

They say they’ll be releasing the patch publicly, but isn’t this OSS, can’t anyone just do a diff and with a little “elbow grease” find the patch?

JJJollyjim2y ago

They haven't released the source, and the compiled versions are non-trivial to diff (e.g. there are nondeterministic numbers from the clojure compiler that seem to have changed from one to the other, and .clj files have been removed from the jar).

The old version has `hash=1bb88f5`, which is a public commit: https://github.com/metabase/metabase/commit/1bb88f5

Whereas the new version has `hash=c8912af`, which is not: https://github.com/metabase/metabase/commit/c8912af

2 more replies

hadrien012y ago

> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.

1 more reply

MuffinFlavored2y ago

https://github.com/metabase/metabase/compare/v0.46.6...v0.46...

I can't tell if that's it?

edit: I've looked at it a few times, I don't think that's it?

1 more reply

thomasfromcdnjs2y ago

It would be nice to know if this vulnerability affects people who never made their Metabase installations publicly accessible.

Aka if I am running Metabase locally.

Mandatum2y ago

It’ll be an RCE. If you are network isolated or have a proxy in front of it, you can take the weekend off.

MuffinFlavored2y ago

How would an attacker exploit that?

ac2u2y ago

A vulnerability (not necessarily this one, just hypothesising) could be exploited via a payload result from an outbound request to the internet.

1 more reply

not_your_vase2y ago

Emergency deployment late Friday afternoon (by EU time, at least), the best way to end a week :)

kmitz2y ago

Thanks for the heads up ! Without your message I'd probably have found out in a couple months :)

smithcoin2y ago

If I have my metabase installation protected behind oauth with G suite am I protected from these kinds of vectors?

Dachande6632y ago

Perhaps a naive question, but if running metabase within a docker container, what permissions would this RCE have? AFAIK the container has network access and access to the mounted volumes and that's it right?

JJJollyjim2y ago

Presumably the metabase instance also has credentials to access some databases, some of which may be have enough privileges to also get RCE on the database machines (as well as messing with the data they hold).

Dachande6632y ago

We issue separate read-only credentials for database access fortunately. Still doesn't remove the risk of all the data been exfiltrated though.

hiatus2y ago

The container has access to whatever database you connect metabase to for BI. If the db connection credentials are available to the container, it's possible a malicious actor could access your prod db.

throwaway67342y ago

It depends on how the container is being run and if it has root Access

formerly_proven2y ago

> Extremely severe. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on.

Java deserialization strikes another one down, I assume?

theanonymousone2y ago

Will it still be (as) dangerous if Metabase is running inside a container?

Mandatum2y ago

To all the data inside of it? Sure.

To all of the auth tokens and user creds? Why not.

jacob_rezi2y ago

What would happen if a software's database was completely accessible via an open api end point?

exabrial2y ago

thank you!

j / k navigate · click thread line to collapse

72 comments

hannofcart2y ago

One of the better decisions we took at my firm was to not allow direct access to any production DB to analytics visualization tools like Metabase and Redash.

Always write your analytics data to a separate DB in a periodically run job. Only store aggregated anonymized data in the analytics DB you expose to internal stakeholders via tools like Metabase.

jimmytucson2y ago

Also your production database is optimized for different workloads than your analytics database.

bingemaker2y ago

How do you batch write the results (say updating shopping carts) when frontend has to reflect whats in the database?

1 more reply

namaria2y ago

nucleardog2y ago

I tend to discuss things in terms of the trunk, branch, and leaves.

nneonneo2y ago

Worth pointing out that we recently discovered an RCE in RestrictedPython that affects Redash: https://github.com/zopefoundation/RestrictedPython/security/...

This should further emphasize the need to isolate these tools and ensure they are only accessible to people who need them.

98codes2y ago

Exactly right -- we do all of that, and even then tightly control and audit who has access to the anonymized, aggregated, read-only data cube.

MattJ1002y ago

What kind of tooling do you/people use for that? Or just custom scripts?

appplication2y ago

1 more reply

mh-2y ago

(not the person you're replying to)

edit: the sibling comment that mentions Airflow is a good answer for an example of an ELT workflow.

pbreit2y ago

Don't Maria, Postgres, etc make replication pretty easy?

lecha2y ago

swe_dima2y ago

I am subsribed to their Github releases and when I saw a release for every old version I knew what's up :-)

rudasn2y ago

Yeah I do the same for projects I use. I also received an email but don't remember if I also signed up to their newsletters or something like that.

Mandatum2y ago

Saw it on HN.

not_your_vase2y ago

It is definitely not announced on Full Disclosure nor on oss-security mailing lists.

worthless-trash2y ago

Doesn't look like there is a CVE either: https://www.cvedetails.com/vulnerability-list/vendor_id-1947...

1 more reply

xctr942y ago

I got an email directly from Metabase.

exabrial2y ago

I think it's important to review the term "Zero Trust" because so many companies are getting it wrong.

Zero Trust does not mean: "No mor VPNs and private IP network ranges, everything is public. ::elitist hipster noises::"

Zero Trust simply means: "Just _because_ you're on a private network [or coming from a known ip], doesn't mean you're authenticated."

Obviously this isn't perfect security, but that's the _entire_ point: every security researcher says security should be an onion, not a glass sphere; many layers of independent security.

kevincox2y ago

tedeh2y ago

Ha, I was just about to go in here and say the same thing.

"Fortunately" some "white hat" hacker contacted us last year about another Metabase exploit. I gave him a 30 USD tip and ended up doing exactly what you are suggesting.

Now I'm glad that means I don't need to interrupt my vacation to fix this thing right now.

fuomag92y ago

Here in Italy you get lucky if the company is not suing you :(

1 more reply

vdfs2y ago

Hmm, I was thinking that's a standard thing, atleast in HN crowd. basic setup Cloudflare -> Nginx -> Docker -> 3rd Party app, all on a dedicated vm

tlrobinson2y ago

You can also setup some reverse proxies to auth with SSO like Google. I use Traefik + https://github.com/thomseddon/traefik-forward-auth for personal projects, even on my local network.

square_usual2y ago

lomereiter2y ago

Better yet, oauth2-proxy in case of an organization: only admins need to know the secrets, every user simply uses SSO to get access.

nullcipher2y ago

or vpn

riadsila2y ago

For more context: https://www.metabase.com/blog/security-advisory

vxNsr2y ago

They say they’ll be releasing the patch publicly, but isn’t this OSS, can’t anyone just do a diff and with a little “elbow grease” find the patch?

JJJollyjim2y ago

The old version has `hash=1bb88f5`, which is a public commit: https://github.com/metabase/metabase/commit/1bb88f5

Whereas the new version has `hash=c8912af`, which is not: https://github.com/metabase/metabase/commit/c8912af

2 more replies

hadrien012y ago

1 more reply

MuffinFlavored2y ago

https://github.com/metabase/metabase/compare/v0.46.6...v0.46...

I can't tell if that's it?

edit: I've looked at it a few times, I don't think that's it?

1 more reply

thomasfromcdnjs2y ago

It would be nice to know if this vulnerability affects people who never made their Metabase installations publicly accessible.

Aka if I am running Metabase locally.

Mandatum2y ago

It’ll be an RCE. If you are network isolated or have a proxy in front of it, you can take the weekend off.

MuffinFlavored2y ago

How would an attacker exploit that?

ac2u2y ago

A vulnerability (not necessarily this one, just hypothesising) could be exploited via a payload result from an outbound request to the internet.

1 more reply

not_your_vase2y ago

Emergency deployment late Friday afternoon (by EU time, at least), the best way to end a week :)

kmitz2y ago

Thanks for the heads up ! Without your message I'd probably have found out in a couple months :)

smithcoin2y ago

If I have my metabase installation protected behind oauth with G suite am I protected from these kinds of vectors?

Dachande6632y ago

JJJollyjim2y ago

Dachande6632y ago

We issue separate read-only credentials for database access fortunately. Still doesn't remove the risk of all the data been exfiltrated though.

hiatus2y ago

throwaway67342y ago

It depends on how the container is being run and if it has root Access

formerly_proven2y ago

> Extremely severe. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on.

Java deserialization strikes another one down, I assume?

theanonymousone2y ago

Will it still be (as) dangerous if Metabase is running inside a container?

Mandatum2y ago

To all the data inside of it? Sure.

To all of the auth tokens and user creds? Why not.

jacob_rezi2y ago

What would happen if a software's database was completely accessible via an open api end point?

exabrial2y ago

thank you!

j / k navigate · click thread line to collapse