Security fix in Open OnDemand patch release 1.6.22 and 1.5.7 now available

We have released a 1.6.22 and 1.5.7 patch release with a security fix to a CSRF vulnerability in the shell app (see code changes here).

To update from 1.6.20 to 1.6.22 or 1.5.5 to 1.5.7:

sudo yum update ondemand

This security fix adds proper CSRF protection using both the Origin request header check and a CSRF token check.

The Origin check uses X-Forwarded-Proto and X-Forwarded-Host that Apache mod_proxy sets to build the string that is used to compare with the Origin request header the browser sends in the WebSocket upgrade request.

In some edge cases this string may not be correct, and as a result valid WebSocket connections will be denied. In this case you can either set OOD_SHELL_ORIGIN_CHECK env var to the correct https string, or disable the origin check altogether by setting OOD_SHELL_ORIGIN_CHECK=off (or any other value that does not start with “http”). This can be set in /etc/ood/config/apps/shell/env or in /etc/ood/config/nginx_stage.yml (see 1.5 docs and 1.6 docs on this). Either way the CSRF token will still provide protection from this vulnerability.