Impact
If you configured Redash without explicitly specifying the REDASH_COOKIE_SECRET environment variable, Redash instead used a default value that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
In conjunction with removing the default value to make sure that a value is always provided, we have added a page to our documentation about setting and managing secret keys in Redash.
Our thanks to Ian Carroll (@iangcarroll on Github) for responsibly disclosing this vulnerability.
How can I tell if my instance is affected?
You can verify whether your instance is affected by checking whether the REDASH_COOKIE_SECRET environment variable is set for your installation. If it is not present in your configuration then you should follow the steps to secure instance, outlined in the Patches section below
If you are using any of Redash’s official cloud images (AWS, GCE, Digital Ocean) or used our setup script to generate your Docker installation this vulnerability is most likely mitigated already. Please check /opt/redash/env to confirm that an explicit value for REDASH_COOKIE_SECRET has been set.
Patches
A software patch is not required to fix this vulnerability. Instead, an admin must modify Redash's configuration through environment variables. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database (see below).
The current master and release/10.0.x branches have removed the default value for REDASH_COOKIE_SECRET. All future releases will also require this to be set explicitly. For Docker installations, you can upgrade to Docker Tag redash/redash:10.1.0.b50633.
For existing installations, you will need to ensure that explicit values are set for the REDASH_COOKIE_SECRET and REDASH_SECRET_KEY variables.
V7 and later
Starting in version 7, Redash encrypts data source and alert destination details in the database using the REDASH_SECRET_KEY environment variable.
If you have not set REDASH_SECRET_KEY explicitly:
- Set the
REDASH_SECRET_KEY environment variable to be the default (current) cookie_secret : c292a0a3aa32397cdb050e233733900f
- Set
REDASH_COOKIE_SECRET to a different value 1
- Use the Redash CLI to re-encrypt using a secret key different from step 1 (see docs)
- Set the
REDASH_SECRET_KEY environment variable to the new value you used in step 3
- Restart Redash
If you have set REDASH_SECRET_KEY explicitly:
- Set the
REDASH_COOKIE_SECRET environment variable 1
- Restart Redash
V6 and earlier
If you're using Redash version 6 or older (before we introduced data sources encryption):
- Set the
REDASH_COOKIE_SECRET environment variable 1
- Restart Redash
For more information
If you have any questions or comments about this advisory:
iangcarroll Analyst
Impact
If you configured Redash without explicitly specifying the
REDASH_COOKIE_SECRETenvironment variable, Redash instead used a default value that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.In conjunction with removing the default value to make sure that a value is always provided, we have added a page to our documentation about setting and managing secret keys in Redash.
Our thanks to Ian Carroll (@iangcarroll on Github) for responsibly disclosing this vulnerability.
How can I tell if my instance is affected?
You can verify whether your instance is affected by checking whether the
REDASH_COOKIE_SECRETenvironment variable is set for your installation. If it is not present in your configuration then you should follow the steps to secure instance, outlined in the Patches section belowIf you are using any of Redash’s official cloud images (AWS, GCE, Digital Ocean) or used our setup script to generate your Docker installation this vulnerability is most likely mitigated already. Please check
/opt/redash/envto confirm that an explicit value forREDASH_COOKIE_SECREThas been set.Patches
A software patch is not required to fix this vulnerability. Instead, an admin must modify Redash's configuration through environment variables. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database (see below).
The current
masterandrelease/10.0.xbranches have removed the default value forREDASH_COOKIE_SECRET. All future releases will also require this to be set explicitly. For Docker installations, you can upgrade to Docker Tagredash/redash:10.1.0.b50633.For existing installations, you will need to ensure that explicit values are set for the
REDASH_COOKIE_SECRETandREDASH_SECRET_KEYvariables.V7 and later
Starting in version 7, Redash encrypts data source and alert destination details in the database using the
REDASH_SECRET_KEYenvironment variable.If you have not set
REDASH_SECRET_KEYexplicitly:REDASH_SECRET_KEYenvironment variable to be the default (current) cookie_secret :c292a0a3aa32397cdb050e233733900fREDASH_COOKIE_SECRETto a different value 1REDASH_SECRET_KEYenvironment variable to the new value you used in step 3If you have set
REDASH_SECRET_KEYexplicitly:REDASH_COOKIE_SECRETenvironment variable 1V6 and earlier
If you're using Redash version 6 or older (before we introduced data sources encryption):
REDASH_COOKIE_SECRETenvironment variable 1For more information
If you have any questions or comments about this advisory:
Footnotes
Read about how to pick a secret key in our docs ↩ ↩2 ↩3