Denial-of-Service disclosure for Meteor APM/Kadira agent
A security bug affecting the Meteor APM agent (also known as “Kadira”) requires your attention
Meteor developers should be aware of a recently discovered security vulnerability. Please read this disclosure for full details and consult the Resolution section for the appropriate fix.
Description
A remotely-executable Denial-of-Service (DoS) attack has been discovered which affects applications utilizing Meteor Application Performance Monitoring (“APM”; formerly “Kadira”) through use of the mdg:meteor-apm-agent package or any similar "agent" package based on the original meteorhacks:kadira package, which transmit performance metrics to Galaxy Meteor APM, NodeChef Meteor APM, and similar services.
This vulnerability has been patched in the mdg:meteor-apm-agent package, which is maintained by Meteor Development Group, however packages maintained by other parties may need to patched. Please see the Resolution section below for an update which will prevent the attack.
Impact
While a default Meteor configuration using Meteor’s core packages is not automatically vulnerable, the attack becomes possible when certain Meteor packages are installed. Such packages include, but are not limited to:
mdg:meteor-apm-agentmeteorhacks:kadira- Any package based on the
meteorhacks:kadirapackage. Known public forks of that package are listed on the package's GitHub page, located at https://github.com/meteorhacks/kadira/network/members.
When a vulnerable version of an affected package is installed (whether or not it is configured), the attack payload can be delivered remotely. After the payload has been delivered, the application is likely to become unresponsive and will need to be restarted.
Additionally, after the attack, newly constructed JavaScript Objects might receive additional properties which would not normally have been present. These properties include: async, compute, count, db, email, errors, fetchedDocSize, http, sentMsgSize, total, and wait. Assertions or logic not expecting these additional object properties may raise errors or cause unpredictable behavior, including pollution of data and loss of APM data.
If an application does not use an affected package, we have no evidence the attack is possible.
Resolution
Any application using an affected package should update to a patched version. Two of the most common packages have already had the vulnerability patched, and their update instructions are included here for convenience.
Applications using mdg:meteor-apm-agent
The vulnerability has been fixed in version 3.1.1 of the mdg:meteor-apm-agentpackage. The command to update and patch the vulnerability is:
meteor update mdg:meteor-apm-agentApplications using meteorhacks:kadira
We were not able to coordinate publishing of a patched version of the meteorhacks:kadira package with the package owner. Therefore, due to the popularity of this package, and with the best interest of the Meteor community in mind, Meteor Development Group has decided to publish a patched version of the meteorhacks:kadira package, without relying on the package author to do so.
Because of this action, the vulnerability has been fixed in version 2.30.4 of the meteorhacks:kadira package. The command to update and patch the vulnerability is:
meteor update meteorhacks:kadiraTo review the changes we published, please consult the pull-request we submitted to the meteorhacks:kadira GitHub repository, which can be seen here.
Applications using other APM “agent” packages
Application developers should confirm that the package they are using has received the appropriate patch and update to the patched version of that package by using:
meteor update <package-name>Maintainers of APM “agent” packages
Any package which was forked from meteorhacks:kadira should be patched. Maintainers of such packages should review the pull-request we submitted to the meteorhacks:kadira GitHub repository, which can be found here.
The changes supplied in that pull-request should be applied to the package source of the forked package, and the patched package should be republished using meteor publish. Once republished, any application using the package should be updated to the newly published version, using the above command.
Verification
After running the appropriate meteor update command, developers should verify that the latest version of the affected package was installed, either by examining the output of the command or by inspecting the application's .meteor/versions file.
Credit
Meteor believes in responsible disclosure of security vulnerabilities. We respect the hard work of security researchers who privately notify us with vulnerability details and appreciate the time they provide us time to address and resolve vulnerabilities prior to disclosing them publicly.
Credit for the discovery of this vulnerability goes to Adam Baldwin from Lift Security and Juho Hietala from Pacific Reach Advisors, Inc., who reported this issue to Meteor.
Please contact security@meteor.com to report a vulnerability in Meteor.
