CVE-2022-23628 was published last week by the Open Policy Agent (OPA) project maintainers after a user reported unexpected behavior from a policy bundle that was built with optimizations enabled.
The problem stemmed from a regression fix in the v0.33.1 release that addressed incorrect pretty-printing of Rego object literals by the `opa fmt` command and the underlying `format` package. The problem was that the regression fix could cause elements of array literals to be reordered in the pretty-printed output if any of the elements were generated programmatically.
Because the `opa build` command pretty-prints optimized (i.e., partially evaluated) Rego source files before including them in bundles, it was possible for the `opa build` command to inadvertently change the logic of statements containing array literals.
This post outlines the status, impact and solution to the problem.
The impact of CVE-2022-23628 is limited to cases where Rego ASTs are programmatically generated and then pretty-printed by OPA v0.33.1 (inclusive) to OPA v0.37.2 (exclusive).
Specifically, this could occur if `opa build` was used with `--optimize=1` or `-O=1` (or greater) to produce a bundle that was then distributed to OPAs for enforcement.
Styra Declarative Authorization Service (DAS) customers were not affected because bundle optimizations have not been enabled when Styra DAS has relied on OPA versions v0.33.1 to v0.37.2. If you are an on-premise customer and you have enabled this feature flag, please contact your CSM or email@example.com for help.
Because this issue primarily affects bundle build operations, users DO NOT have to upgrade OPA deployments immediately. For example, a bundle built with optimizations enabled with OPA v0.37.2 can be safely deployed to OPA v0.36.1.
Policies containing statements that perform pattern-matching on Rego arrays containing variables could generate incorrect decisions. For example, given the following rule: