VaultDestinationPlugin.upload in lemur/plugins/lemur_vault_dest/plugin.py calls os._exit(1) when a certificate's Subject Alternative Name does not match the destination's configured sanFilter regex.
os._exit() invokes the C library _exit() syscall; According to the official docs ( https://docs.python.org/3/library/os.html#os._exit ), it "Exits the process with status n, without calling cleanup handlers, flushing stdio buffers, etc."
In particular, it does not raise SystemExit, does not unwind the Python stack, and cannot be caught by any try/except (not even except BaseException). There's a surrounding SQLAlchemy event handler in lemur/certificates/models.py which wraps the upload call in try/except Exception, but it provides no protection against this code path for these reasons.
Therefore, an authenticated user with permission to attach destinations to a certificate, can reliably kill a Lemur WSGI worker or Celery worker on demand by uploading a certificate whose SAN list violates the sanFilter of an existing Vault destination. As os._exit bypasses logging flush, Sentry capture, and audit-log write, the bug leaves minimal forensic trail. It would look like an unexplained worker crash.
VaultDestinationPlugin.uploadinlemur/plugins/lemur_vault_dest/plugin.pycallsos._exit(1)when a certificate's Subject Alternative Name does not match the destination's configuredsanFilterregex.os._exit()invokes the C library_exit()syscall; According to the official docs ( https://docs.python.org/3/library/os.html#os._exit ), it "Exits the process with status n, without calling cleanup handlers, flushing stdio buffers, etc."In particular, it does not raise
SystemExit, does not unwind the Python stack, and cannot be caught by anytry/except(not evenexcept BaseException). There's a surrounding SQLAlchemy event handler inlemur/certificates/models.pywhich wraps the upload call intry/except Exception, but it provides no protection against this code path for these reasons.Therefore, an authenticated user with permission to attach destinations to a certificate, can reliably kill a Lemur WSGI worker or Celery worker on demand by uploading a certificate whose SAN list violates the
sanFilterof an existing Vault destination. Asos._exitbypasses logging flush, Sentry capture, and audit-log write, the bug leaves minimal forensic trail. It would look like an unexplained worker crash.