Tell HN: Upgrade your Metabase installation

Tell HN: Upgrade your Metabase installation(github.com)

208 points by zhoutong 2 years ago | 72 comments

hannofcart 2 years ago |

One of the better decisions we took at my firm was to not allow direct access to any production DB to analytics visualization tools like Metabase and Redash.

Always write your analytics data to a separate DB in a periodically run job. Only store aggregated anonymized data in the analytics DB you expose to internal stakeholders via tools like Metabase.

jimmytucson 2 years ago | |

Also your production database is optimized for different workloads than your analytics database.

Usually production is used for fetching and updating a small number of records at a time (think updating a shopping cart), and has strict latency requirements whereas analytics involves reading a large amount of data in columns (think count group by one or two columns), and can be done in batches where the results can get a more and more stale until the next batch runs.

bingemaker 2 years ago | | |

How do you batch write the results (say updating shopping carts) when frontend has to reflect whats in the database?

namaria 2 years ago | |

That's a great idea and it articulates something I have thought about the whole "use boring tech" things (which I support). It doesn't preclude letting people use the shiny new thing. You can always let them plug it in and use it. But the core of the system should be as simple as possible and based on thoroughly understood tech (from the point of view of the team in question/accessible labor market).

nucleardog 2 years ago | | |

I tend to discuss things in terms of the trunk, branch, and leaves.

Mostly in that the leaves of your system (parts that nothing else connects to or builds on) are generally a low risk place to try new things sometimes. If you do run into any intractable issues, it’s also an easy spot to pluck it off and replace it.

nneonneo 2 years ago | |

Worth pointing out that we recently discovered an RCE in RestrictedPython that affects Redash: https://github.com/zopefoundation/RestrictedPython/security/...

This should further emphasize the need to isolate these tools and ensure they are only accessible to people who need them.

98codes 2 years ago | |

Exactly right -- we do all of that, and even then tightly control and audit who has access to the anonymized, aggregated, read-only data cube.

MattJ100 2 years ago | |

What kind of tooling do you/people use for that? Or just custom scripts?

appplication 2 years ago | | |

Look up OLTP vs OLAP data stores to get an idea. There are a lot of common patterns for the specifics of implementing this. Usually you run a regularly scheduled job that dumps data representing some time period (e.g. daily jobs). There are some considerations for late arriving data, which is a classic DE interview question, but for the most part, big nightly dumps of the last day’s data/transactions/snapshots to date-partitioned columnar stores using an orchestration engine like Airflow is sufficient for 99% of use cases.

mh- 2 years ago | | |

(not the person you're replying to)

I can't recommend any specific tools without knowing a lot about the environment, but if you're looking for terms to google: ELT (Extract, Load, Transform) and CDC (Change Data Capture) will give you a sense of the landscape.

edit: the sibling comment that mentions Airflow is a good answer for an example of an ELT workflow.

pbreit 2 years ago | | |

Don't Maria, Postgres, etc make replication pretty easy?

lecha 2 years ago |

How many of you have received this notice via an official security advisory channel you're monitoring/acting on? If so, which advisory service do you use and how you configure it? Learning about HN is useful, but far from a reliable solution.

swe_dima 2 years ago | |

I am subsribed to their Github releases and when I saw a release for every old version I knew what's up :-)

rudasn 2 years ago | | |

Yeah I do the same for projects I use. I also received an email but don't remember if I also signed up to their newsletters or something like that.

Mandatum 2 years ago | |

Saw it on HN.

not_your_vase 2 years ago | |

It is definitely not announced on Full Disclosure nor on oss-security mailing lists.

worthless-trash 2 years ago | | |

Doesn't look like there is a CVE either: https://www.cvedetails.com/vulnerability-list/vendor_id-1947...

xctr94 2 years ago | |

I got an email directly from Metabase.

exabrial 2 years ago |

I think it's important to review the term "Zero Trust" because so many companies are getting it wrong.

Zero Trust does not mean: "No mor VPNs and private IP network ranges, everything is public. ::elitist hipster noises::"

Zero Trust simply means: "Just _because_ you're on a private network [or coming from a known ip], doesn't mean you're authenticated."

You should have every single one of your internal network services (like Metabase) behind a VPN like Wireguard or numerous other options. The sole purpose of this is to reduce your firewall log noise to a manageable level that can be reviewed by hand if necessary.

Obviously this isn't perfect security, but that's the _entire_ point: every security researcher says security should be an onion, not a glass sphere; many layers of independent security.

kevincox 2 years ago |

This is why I try to put everything behind NGINX with basic auth. Unfortunately not everything works well that way but in this case I suspect that this is made unexploitable by anyone without the password.

tedeh 2 years ago | |

Ha, I was just about to go in here and say the same thing.

"Fortunately" some "white hat" hacker contacted us last year about another Metabase exploit. I gave him a 30 USD tip and ended up doing exactly what you are suggesting.

Now I'm glad that means I don't need to interrupt my vacation to fix this thing right now.

fuomag9 2 years ago | | |

Here in Italy you get lucky if the company is not suing you :(

vdfs 2 years ago | |

Hmm, I was thinking that's a standard thing, atleast in HN crowd. basic setup Cloudflare -> Nginx -> Docker -> 3rd Party app, all on a dedicated vm

tlrobinson 2 years ago | |

You can also setup some reverse proxies to auth with SSO like Google. I use Traefik + https://github.com/thomseddon/traefik-forward-auth for personal projects, even on my local network.

square_usual 2 years ago | |

I like NGINX, but I prefer how simple it is to set up Caddy with basic auth. Caddy is already simpler to configure (and has automatic SSL via Let's Encrypt), but it's so simple to get its basic directive working compared to NGINX that I do it by default now.

lomereiter 2 years ago | |

Better yet, oauth2-proxy in case of an organization: only admins need to know the secrets, every user simply uses SSO to get access.

nullcipher 2 years ago | |

or vpn

riadsila 2 years ago |

For more context: https://www.metabase.com/blog/security-advisory

vxNsr 2 years ago | |

They say they’ll be releasing the patch publicly, but isn’t this OSS, can’t anyone just do a diff and with a little “elbow grease” find the patch?

JJJollyjim 2 years ago | | |

They haven't released the source, and the compiled versions are non-trivial to diff (e.g. there are nondeterministic numbers from the clojure compiler that seem to have changed from one to the other, and .clj files have been removed from the jar).

The old version has `hash=1bb88f5`, which is a public commit: https://github.com/metabase/metabase/commit/1bb88f5

Whereas the new version has `hash=c8912af`, which is not: https://github.com/metabase/metabase/commit/c8912af

hadrien01 2 years ago | | |

> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.

MuffinFlavored 2 years ago | | |

https://github.com/metabase/metabase/compare/v0.46.6...v0.46...

I can't tell if that's it?

edit: I've looked at it a few times, I don't think that's it?

thomasfromcdnjs 2 years ago |

It would be nice to know if this vulnerability affects people who never made their Metabase installations publicly accessible.

Aka if I am running Metabase locally.

Mandatum 2 years ago | |

It’ll be an RCE. If you are network isolated or have a proxy in front of it, you can take the weekend off.

MuffinFlavored 2 years ago | |

How would an attacker exploit that?

ac2u 2 years ago | | |

A vulnerability (not necessarily this one, just hypothesising) could be exploited via a payload result from an outbound request to the internet.

not_your_vase 2 years ago |

Emergency deployment late Friday afternoon (by EU time, at least), the best way to end a week :)

kmitz 2 years ago |

Thanks for the heads up ! Without your message I'd probably have found out in a couple months :)

smithcoin 2 years ago |

If I have my metabase installation protected behind oauth with G suite am I protected from these kinds of vectors?

Dachande663 2 years ago |

Perhaps a naive question, but if running metabase within a docker container, what permissions would this RCE have? AFAIK the container has network access and access to the mounted volumes and that's it right?

JJJollyjim 2 years ago | |

Presumably the metabase instance also has credentials to access some databases, some of which may be have enough privileges to also get RCE on the database machines (as well as messing with the data they hold).

Dachande663 2 years ago | | |

We issue separate read-only credentials for database access fortunately. Still doesn't remove the risk of all the data been exfiltrated though.

hiatus 2 years ago | |

The container has access to whatever database you connect metabase to for BI. If the db connection credentials are available to the container, it's possible a malicious actor could access your prod db.

throwaway6734 2 years ago | |

It depends on how the container is being run and if it has root Access

formerly_proven 2 years ago |

> Extremely severe. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on.

Java deserialization strikes another one down, I assume?

theanonymousone 2 years ago |

Will it still be (as) dangerous if Metabase is running inside a container?

Mandatum 2 years ago | |

To all the data inside of it? Sure.

To all of the auth tokens and user creds? Why not.

jacob_rezi 2 years ago |

What would happen if a software's database was completely accessible via an open api end point?

exabrial 2 years ago |

thank you!