Recently, two vulnerabilities in Cube's WebSocket transport implementation have been discovered during an internal security audit. These vulnerabilities have been promptly patched. Impacted deployments in Cube Cloud were secured.
We're publishing this advisory to prompt Cube Core users to check the configuration of their Cube deployments and mitigate the potential security issue immediately.
Read below about the details, affected and fixed versions, and required action.
Impact
Vulnerabilities apply to Cube deployments:
- Running the versions from 0.27.19 to 1.5.14.
- Having the WebSocket transport of the REST API explicitly enabled by setting the
CUBEJS_WEB_SOCKETSenvironment variable totrue(it isfalseby default).
Exploitation involves sending a specially crafted payload while authenticating with a valid API token. Exploiting the first vulnerability, CVSS-rated as High, allows privilege escalation. Exploiting the second vulnerability, CVSS-rated as Moderate, allows executing a denial of service attack.
There is no evidence that these vulnerabilities were exploited in the wild.
Affected and fixed versions
Deployments running the following versions of Cube are affected: from 0.27.19 to 1.5.14.
The vulnerabilities are resolved in the following versions of Cube:
- 1.6.0 and later (regular release)
- 1.5.15 and later (regular release)
- 1.4.2 (active LTS release)
- 1.0.14 (end-of-life LTS release)
Required action
All Cube users are advised to immediately upgrade their deployments to versions 1.6.0, 1.5.15, 1.4.2, 1.0.14, or any later version.
Before upgrading, please check product changelog entries for breaking changes. To upgrade a Cube Core deployment, use newer versions of published Docker images. To upgrade a Cube Cloud deployment, select a newer version on the Settings page of your deployment and click Apply; this will trigger a redeploy.
Note that upgrading to a new major or minor version (e.g., from 1.2 to 1.5) will likely require some or all pre-aggregations to be rebuilt. Please plan the upgrade accordingly.
Deployments in Cube Cloud have been secured. Please contact Cube Cloud customer success if you have further questions.
Cube Core users are notified via the Slack community at slack.cube.dev.
Our commitment
Security is a priority for both Cube Core and our cloud platform. We're implementing a secure development lifecycle and strengthening our security controls. For more details, visit our trust center.