PureSec Improves Security in Apache OpenWhisk Serverless Runtime
PureSec Discloses a Weakness in Apache OpenWhisk and Helps Make it More Secure
TEL AVIV, Israel, July 24, 2018 /PRNewswire/ -- PureSec, the leader in serverless security, announced today that its research team helped improve the security of the Apache OpenWhisk serverless platform. OpenWhisk is the leading open source platform for serverless computing, and there are several commercial deployments of the technology.
Apache OpenWhisk executes functions in response to events with rapid auto-scaling. It provides a programming model to create functions as cloud-native event handlers, and executes the functions automatically, inside runtime containers, as the events occur.
The PureSec threat research team demonstrated how under certain conditions, a remote attacker may overwrite the source code of a vulnerable function which is being executed in a runtime container, and influence subsequent executions of the same function in the same container. An attacker that manages to overwrite or modify the code of the serverless function can then perform further actions such as leaking sensitive data during subsequent executions within that function, which may belong to other end users.
"As part of our continuous research efforts into serverless security, our team discovered this function mutability in an OpenWhisk runtime and upon verifying it, reported it directly to the Apache OpenWhisk team," said Ory Segal, CTO & co-founder at PureSec. "We were extremely pleased and impressed with the promptness of the Apache OpenWhisk team, which took this issue very seriously."
PureSec also provided the Apache OpenWhisk team with a suggested fix, which mitigates the risk.
"The security of functions is an important tenet of serverless computing. The Apache OpenWhisk community thanks PureSec and its research team for improving the OpenWhisk platform and making it more secure." said Rodric Rabbah, one of the creators of Apache OpenWhisk.
The vulnerabilities are tracked under the following CVEs: CVE-2018-11756, CVE-2018-11757
The full details of the weakness can be found in the following research paper:
https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory.pdf
PureSec also released a 5-minute video explaining the weakness:
https://www.youtube.com/watch?v=GQSyN4j6Cqc
About PureSec
As the global leader in serverless architectures security, PureSec enables its customers to build and maintain secure and reliable serverless applications. The company's end-to-end serverless security solution is the industry's first and most comprehensive Serverless Security Runtime Environment (SSRE).
To learn how PureSec solutions and its team of serverless security experts are helping businesses to secure their serverless applications, please visit www.puresec.io, and follow @PureSecTeam on Twitter.
Media Contact
Lazer Cohen
WestRay Communications
[email protected]
SOURCE PureSec
Share this article