BentoML Server-Side Template Injection Vulnerability Allowing Arbitrary Code Execution on Host

A server-side template injection vulnerability has been identified in BentoML versions prior to 1.4.38. The issue arises in the Dockerfile generation function 'generate_containerfile()', which uses an unsandboxed Jinja2 environment to render user-provided Dockerfile templates. This vulnerability allows execution of arbitrary Python code on the host machine, bypassing container isolation, when a malicious Bento archive is imported and containerized.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host machine, with potential access to the filesystem, environment variables, and the ability to install backdoors or pivot to other systems. This vulnerability could also compromise the supply chain if the affected machine is a CI/CD runner.

Reproduction

To reproduce this vulnerability, an attacker can create a malicious Jinja2 template that executes Python code, such as a command to write to a file. This template is then referenced in a Bento file configuration. After building and exporting the Bento archive, the victim imports it and uses the 'bentoml containerize' command, which triggers the execution of the malicious code on the host.

Remediation

Users should update to BentoML version 1.4.38 or later, where this vulnerability has been fixed. The update replaces the unsandboxed Jinja2 environment with a sandboxed environment, removing the dangerous extensions that allowed code execution.