Recently, two vulnerabilities in Cube's WebSocket transport implementation have been discovered during an internal security audit. These vulnerabilities have been promptly patched. Impacted deployments in Cube Cloud were secured.
We're publishing this advisory to prompt Cube Core users to check the configuration of their Cube deployments and mitigate the potential security issue immediately.
Read below about the details, affected and fixed versions, and required action.
Impact
Both vulnerabilities apply to Cube deployments:
- Running the versions from 0.27.19 to 1.5.14.
- Having the WebSocket transport of the REST API explicitly enabled by setting the
CUBEJS_WEB_SOCKETSenvironment variable totrue(falseby default).
Exploitation involves sending a specially crafted payload while authenticating with a valid API token. Exploiting the first vulnerability, CVSS-rated as High, allows privilege escalation. Exploiting the second vulnerability, CVSS-rated as Medium, allows executing a denial of service attack.
There is no evidence that these vulnerabilities were exploited in the wild.
Affected and fixed versions
Deployments running the following versions of Cube are affected: from 0.27.19 to 1.5.14.
The vulnerabilities are resolved in the following versions of Cube which include the hardened WebSocket request processing implementation:
- 1.6.0 and later (regular release)
- 1.5.15 and later (regular release)
- 1.4.2 (active LTS release)
- 1.0.14 (end-of-life LTS release)
Required action
All Cube users are advised to immediately upgrade their deployments to versions 1.6.0, 1.5.15, 1.4.2, 1.0.14, or any later version.
For affected versions, disabling the WebSocket transport by setting CUBEJS_WEB_SOCKETS to false, in case it was ever enabled, also mitigates these vulnerabilities. However, we strongly advise you to upgrade anyway.
Before upgrading, please check product changelog entries for breaking changes. To upgrade a Cube Core deployment, use newer versions of published Docker images. To upgrade a Cube Cloud deployment, select a newer version on the Settings page of your deployment and click Apply; this will trigger a redeploy.
Note that upgrading to a new major or minor version (e.g., from 1.2 to 1.5) will likely require some or all pre-aggregations to be rebuilt. Please plan the upgrade accordingly.
Deployments in Cube Cloud have already been secured by explicitly disabling WebSocket transport and/or upgrading to a non-vulnerable version. Administrators of Cube Cloud accounts have been notified via email. Please contact Cube Cloud customer success if you have further questions.
Cube Core users are notified via the Slack community at slack.cube.dev, the pinned issue on GitHub, and the banner in the documentation.
Our commitment
Security is a priority for both Cube Core and our cloud platform. We're implementing a secure development lifecycle and strengthening our security controls. For more details, visit our trust center.