What is Changing?
In the week of March 12th 2019 Sumo Logic will release a change to the behavior of the Script Sources and Script Action feature of our Installed Collector. This change addresses a security concern regarding the Collector’s default “opt-out” model for executing Script Sources and Script Actions.
By default, the current Sumo Logic Installed Collector executes Script Sources and Script Actions automatically, upon installation. This behaviour will change for all Installed Collectors released after March 12th, 2019. Going forward, the Installed Collector will not execute scripts unless the "opt-in" flag is set in either the Collector’s user.properties configuration file or as a parameter in the command line installer. This effectively adds one additional configuration step the user must take before the Installed Collector executes Script Sources or Actions.
Who does this affect?
The switch to the opt-in behavior will not change the behavior of currently deployed Installed Collectors. However, on March 12th, 2019, users who automate the deployment of new Installed Collectors will need to update their automation scripts to set the new opt-in flag in the user.properties file, or command line parameter, if they are also deploying Script Sources or Script Actions.
What Security Vulnerabilities are being assessed?
Script Sources allow users to write and execute scripts which are executed by installed collectors in order to collect data from custom sources other than log files. Similarly, Script Actions enable users to pass the results of a saved search to an Installed Collector, where it is temporarily saved to the filesystem.
Users may write these scripts from the Sumo Logic UI where they will be sent to the Collector and executed on the machine on which the collector is running. While only authenticated users with the Manage Collectors role can write and deploy these scripts, these same Sumo users may also be running the Installed Collector as a highly privileged local user such as root. Scripts passed to the Installed Collector would then execute as the user the collector is running as.
Users may already disable the automatic execution of Script Sources and Script Actions by setting the disableScriptSource or disableScriptAction properties, or with the VdisableScriptSource or VdisableScriptAction parameters in the command line installer. However, this is an opt-out model. Collectors released after March 12th 2019 will then follow an opt-in model for executing scripts.
Users of the the Installed Collector may opt-in to script execution by setting the enableScriptSource or enableActionSource properties to true in the user.properties file, collector.properties file, or with the VenableScriptSource and VenableActionSource parameters in the command line installer.
Please sign in to leave a comment.