Alert for CVE-2022-30331
Original date: June 2022
TigerGraph has disputed this vulnerability, as the basis of the claim merely states that a privileged user could write code within TigerGraph that might introduce a vulnerability in a query accessible to other authenticated users.
One of the key benefits of using TigerGraph is the ability to create custom functions (UDFs) in native C++ for high-speed data-manipulation.
These functions are then made available to all users for implementation in their query operations.
As C++ is a powerful, low-level programming language, it is expected that anyone who writes or installs code is familiar with secure coding practices and careful to review any code from outside sources before implementation.
By default, only users with the
superuser role are allowed access to install UDFs, ensuring that any code installed is properly reviewed by an administrator at the appropriate level.
Configuration controls are also available to ensure UDFs are pulled from a trusted administrator repository if the feature to store UDFs on GitHub is leveraged.
The remainder of the CVE details various malicious actions leveraging the custom C++ code in the UDF. None of these actions are possible with the proper superuser password configured and review of code by the superuser.
These are the root causes of the exploitation detailed in the CVE:
The default superuser did not configure their password to enable authentication.
The superuser installed malicious/insecure code which allowed any user to execute a shell command.
The following best practices should always be followed to ensure your environment is secured:
Credentials should be properly configured. Default credentials/passwords is #5 in the OWASP Top 10 list of vulnerabilities.
Superusers should treat UDFs as developed software. We recommend utilizing the Secure Software Development Life Cycle processes, including static code analysis and appropriate code reviews, prior to installing them on a TigerGraph deployment.
If GSQL is configured to read from a GitHub repository for UDFs, ensure that the repository is properly secured, and the hosted code and any future changes are reviewed by system administrators prior to installing them on a TigerGraph deployment.
There are two possible ways for a user to upload a UDF.
Starting with TigerGraph 3.8.0, both of those methods are disabled by default.
Each of them can only be enabled by a user with administrator privilege using the
For more details, see Upload UDFs.
TigerGraph 3.9.0 introduced a set of checks and restrictions, collectively known as UDF File Scanning, which block certain C++ code from being loaded. This feature, enabled by default, scans the UDF source code to ensure that each UDF complies with the security policies. UDFs which do not satisfy all the restrictions are blocked from being compiled and run. For full details, see TigerGraph documentation for UDF file scanning.
Feature blocklist. C++ headers and features in this private, non-modifiable list are blocked from use.
File header allowlist. Only headers present in the allowlist can be included in UDF files. The default list (see UDF file scanning) can only be modified with a
gadmin config setcommand by the system administrator.
Macros with replacement are disabled.
The security of your data is paramount to us, and we are continually looking for ways to improve our product to make sure it stays safe.