Nuclio Java Runtime Vulnerability Leads to Build-Time Remote Code Execution
Nuclio's Java runtime dashboard API, by default configured with NOP authentication, is vulnerable to remote code execution (CWE-94) where attackers can inject arbitrary Groovy code into the unsanitized `runtimeAttributes.repositories` field, which is directly written into the `build.gradle` file, allowing the injected code to execute during the Gradle configuration phase as root within the build container.
A critical vulnerability (CWE-94, Improper Control of Generation of Code) has been discovered in Nuclio's Java runtime, affecting versions up to and including 1.15.27. This flaw enables unauthenticated attackers to achieve remote code execution (RCE) within the build environment. The vulnerability stems from the Dashboard API's default NOP authentication and a lack of input validation on the runtimeAttributes.repositories field. Attackers can embed arbitrary Groovy code into this field, which is then unescaped and directly written into the build.gradle file during the function build process. This injected code executes unconditionally during the Gradle configuration phase with root privileges inside the builder container, leading to a complete compromise of the build system. The issue was dynamically verified and confirmed to allow commands like id, hostname, and whoami to execute as the root user.
Attack Chain
- An unauthenticated attacker sends an HTTP POST request to the Nuclio Dashboard API's
/api/functionsendpoint. - The request body includes a malicious
runtimeAttributes.repositoriesfield within the function definition, containing Groovy code designed to break out of therepositories {}block and execute arbitrary commands. - The Dashboard API receives the request; due to default NOP authentication, no credentials or input validation are performed on the
runtimeAttributes.repositoriescontent. - The
newBuildAttributes()function decodes theruntimeAttributeswithout content inspection, allowing the malicious string to pass through. - The
createGradleBuildScript()function uses Go'stext/templateengine to render theruntimeAttributes.repositoriesverbatim into thebuild.gradlefile, without any contextual escaping. - The generated
build.gradlefile now contains the attacker's injected Groovy code as top-level statements. - The build process, executed by
./build-user-handler.shinside thequay.io/nuclio/handler-builder-java-onbuildcontainer, invokesgradle tasksandgradle userHandler. - During Gradle's configuration phase, the injected Groovy statements are evaluated, executing the attacker's arbitrary commands (e.g.,
id && hostname && whoami) with root privileges (uid=0) inside the build container.
Impact
Successful exploitation of this vulnerability results in unauthenticated remote code execution with root privileges on the Nuclio build container. An attacker can execute arbitrary commands, leading to full compromise of the build environment, potential data exfiltration, supply chain attacks by injecting malicious code into compiled artifacts, or further lateral movement within the hosting Kubernetes cluster. The proof-of-concept demonstrated execution of id && hostname && whoami commands, returning uid=0(root) gid=0(root) groups=0(root), confirming maximum privileges.
Recommendation
- Patch Nuclio deployments immediately to a version greater than 1.15.27 (once available) as this version is confirmed vulnerable.
- Monitor
process_creationlogs on Linux build containers for suspicious shell command execution (e.g.,sh -cfollowed by system enumeration commands likeid,whoami,hostname) withjavaas a parent process runninggradle, as described in the detection rule below. - Implement robust authentication and authorization for the Nuclio Dashboard API, moving away from NOP authentication, to prevent unauthenticated access.
Detection coverage 1
Detect Nuclio Build-Time RCE via Suspicious Shell Command Execution in Gradle
criticalDetects exploitation of the Nuclio build-time RCE vulnerability (GHSA-3v79-m2cg-89ww) by monitoring for suspicious shell command execution (e.g., system enumeration) where a Java process running Gradle is the parent, indicating injected Groovy code execution.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
string
| Type | Value |
|---|---|
| string | id && hostname && whoami |