CVE-2022-23628, OPA and Styra DAS

3 min read

CVE-2022-23628 was published last week by the Open Policy Agent (OPA) project maintainers after a user reported unexpected behavior from a policy bundle that was built with optimizations enabled.

The problem stemmed from a regression fix in the v0.33.1 release that addressed incorrect pretty-printing of Rego object literals by the `opa fmt` command and the underlying `format` package. The problem was that the regression fix could cause elements of array literals to be reordered in the pretty-printed output if any of the elements were generated programmatically.

Because the `opa build` command pretty-prints optimized (i.e., partially evaluated) Rego source files before including them in bundles, it was possible for the `opa build` command to inadvertently change the logic of statements containing array literals.

This post outlines the status, impact and solution to the problem.

Status

The impact of CVE-2022-23628 is limited to cases where Rego ASTs are programmatically generated and then pretty-printed by OPA v0.33.1 (inclusive) to OPA v0.37.2 (exclusive).

Specifically, this could occur if `opa build` was used with `–optimize=1` or `-O=1` (or greater) to produce a bundle that was then distributed to OPAs for enforcement.

Styra Declarative Authorization Service (DAS) customers were not affected because bundle optimizations have not been enabled when Styra DAS has relied on OPA versions v0.33.1 to v0.37.2. If you are an on-premise customer and you have enabled this feature flag, please contact your CSM or support@styra.com for help.

Because this issue primarily affects bundle build operations, users DO NOT have to upgrade OPA deployments immediately. For example, a bundle built with optimizations enabled with OPA v0.37.2 can be safely deployed to OPA v0.36.1.

Impact

Policies containing statements that perform pattern-matching on Rego arrays containing variables could generate incorrect decisions. For example, given the following rule:

“`
hello {
      [“foo”, _] = split(input.resource, “/”)
}
“`

This issue could transpose the array elements on the second line, turning the rule emitted in the output bundle into:

“`

hello {

      [_, “foo”] = split(input.resource, “/”)

}
“`

As a result, with an input of {“resource”: “foo/bar”} the outcome of the policy would change from:

{
    “hello”: true
}

To (undefined):

{}

Solution

Users relying on `opa build` with `–optimize=1` or greater should upgrade to OPA v0.37.2 or greater.

References

If you have any questions, you can reach out to support@styra.com.

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.