SB2024020768 - Multiple vulnerabilities in Graylog

Description

This security bulletin contains information about 2 vulnerabilities.

1) Session Fixation (CVE-ID: CVE-2024-24823)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain elevated access to an existing Graylog login session.

The vulnerability exists due to session fixation in the /api/system/sessions endpoint when reauthenticating with an existing session cookie. A remote privileged user can inject a chosen session cookie into a victim's browser to gain elevated access to an existing Graylog login session.

User interaction is required to present a spoofed login screen, and exploitation also requires successful session cookie injection into an existing browser session.

2) Improper access control (CVE-ID: CVE-2024-24824)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code and disclose sensitive information.

The vulnerability exists due to improper access control in the /api/system/cluster_config/ endpoint when handling crafted HTTP PUT requests that specify fully qualified class names. A remote user can send a specially crafted request to execute arbitrary code and disclose sensitive information.

Exploitation requires permissions to create and edit cluster configuration entries, and the information disclosure example relies on instantiating java.io.File.

Remediation

Install update from vendor's website.

References

• https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh
• https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj
• https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214