OPA Training: Get Started!

CVE-2022-23628, OPA and Styra DAS

February 21, 2022

CVE-2022-23628 was published last week by the Open Policy Agent (OPA) project maintainers after a user reported unexpected behavior from a policy bundle that was built with optimizations enabled.

The problem stemmed from a regression fix in the v0.33.1 release that addressed incorrect pretty-printing of Rego object literals by the `opa fmt` command and the underlying `format` package. The problem was that the regression fix could cause elements of array literals to be reordered in the pretty-printed output if any of the elements were generated programmatically.

Because the `opa build` command pretty-prints optimized (i.e., partially evaluated) Rego source files before including them in bundles, it was possible for the `opa build` command to inadvertently change the logic of statements containing array literals.

This post outlines the status, impact and solution to the problem.

Status

The impact of CVE-2022-23628 is limited to cases where Rego ASTs are programmatically generated and then pretty-printed by OPA v0.33.1 (inclusive) to OPA v0.37.2 (exclusive).

Specifically, this could occur if `opa build` was used with `--optimize=1` or `-O=1` (or greater) to produce a bundle that was then distributed to OPAs for enforcement.

Styra Declarative Authorization Service (DAS) customers were not affected because bundle optimizations have not been enabled when Styra DAS has relied on OPA versions v0.33.1 to v0.37.2. If you are an on-premise customer and you have enabled this feature flag, please contact your CSM or support@styra.com for help.

Because this issue primarily affects bundle build operations, users DO NOT have to upgrade OPA deployments immediately. For example, a bundle built with optimizations enabled with OPA v0.37.2 can be safely deployed to OPA v0.36.1.

Impact

Policies containing statements that perform pattern-matching on Rego arrays containing variables could generate incorrect decisions. For example, given the following rule:

```
hello {
      ["foo", _] = split(input.resource, "/")
}
```

This issue could transpose the array elements on the second line, turning the rule emitted in the output bundle into:

```

hello {

      [_, "foo"] = split(input.resource, "/")

}
```

As a result, with an input of {"resource": "foo/bar"} the outcome of the policy would change from:

{
    "hello": true
}

To (undefined):

{}

Solution

Users relying on `opa build` with `--optimize=1` or greater should upgrade to OPA v0.37.2 or greater.

References

If you have any questions, you can reach out to support@styra.com.

Subscribe

Related Posts

January 25, 2021

Integrating Identity: OAuth2 and OpenID Connect in Open Policy Agent

Learn More
January 13, 2022

Styra 2021 Year in Review

Learn More
March 23, 2022

Insights from the Styra 2022 Cloud-Native Alignment Report

Learn More

Request a Demo

1800 Broadway, Suite 1 Redwood City CA 94063