CVE-2024-28253
CVE-2024-28253
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Comprehensive Technical Analysis of CVE-2024-28253
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2024-28253
CVSS Score: 9.4
Severity: Critical
Description: The vulnerability involves an expression language injection in the CompiledRule::validateExpression method within the OpenMetadata platform. This method is called from PolicyRepository.prepare, which in turn is invoked by EntityRepository.prepareInternal() and subsequently by EntityResource.createOrUpdate(). The authorization check (authorizer.authorize()) occurs after the SpEL (Spring Expression Language) expression has been evaluated, allowing for potential Remote Code Execution (RCE).
Impact: This vulnerability can lead to RCE, enabling attackers to execute arbitrary code on the affected system. The high CVSS score of 9.4 indicates a critical risk, emphasizing the need for immediate attention and remediation.
2. Potential Attack Vectors and Exploitation Methods
Attack Vector: An attacker can exploit this vulnerability by sending a specially crafted PUT request to the /api/v1/policies endpoint. This request is handled by PolicyResource.createOrUpdate(), which eventually calls the vulnerable CompiledRule::validateExpression method.
Exploitation Methods:
- Crafted PUT Request: The attacker can craft a PUT request with a malicious payload designed to exploit the SpEL expression injection.
- Code Execution: By injecting malicious expressions, the attacker can execute arbitrary code on the server, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.
3. Affected Systems and Software Versions
Affected Software: OpenMetadata platform
Affected Versions: Versions prior to 1.3.1
Fixed Version: The vulnerability has been addressed in version 1.3.1.
4. Recommended Mitigation Strategies
Immediate Actions:
- Upgrade: Users are strongly advised to upgrade to OpenMetadata version 1.3.1 or later, which includes the fix for this vulnerability.
- Patch Management: Implement a robust patch management process to ensure timely updates and patches for all software components.
Long-Term Strategies:
- Input Validation: Enhance input validation mechanisms to sanitize and validate all user inputs, especially those that interact with expression languages.
- Authorization Checks: Ensure that authorization checks are performed before any potentially dangerous operations, such as expression evaluation.
- Security Audits: Conduct regular security audits and code reviews to identify and mitigate similar vulnerabilities.
5. Impact on Cybersecurity Landscape
Broader Implications:
- Supply Chain Security: Vulnerabilities in widely-used platforms like OpenMetadata can have cascading effects on the entire supply chain, affecting multiple organizations and industries.
- Remote Code Execution: RCE vulnerabilities are particularly dangerous as they can lead to full system compromise, making them a high-priority target for attackers.
- Incident Response: Organizations need to be prepared with robust incident response plans to quickly detect and mitigate such vulnerabilities.
6. Technical Details for Security Professionals
Code Flow:
- Entry Point: The attacker sends a PUT request to
/api/v1/policies. - Request Handling: The request is handled by
PolicyResource.createOrUpdate(). - Method Calls:
PolicyResource.createOrUpdate()callsEntityResource.createOrUpdate().EntityResource.createOrUpdate()callsEntityRepository.prepareInternal().EntityRepository.prepareInternal()callsPolicyRepository.prepare().PolicyRepository.prepare()callsCompiledRule::validateExpression.
- Vulnerable Method:
CompiledRule::validateExpressionevaluates the SpEL expression before the authorization check, allowing for injection.
Detection and Monitoring:
- Log Analysis: Monitor logs for unusual activity related to the
/api/v1/policiesendpoint. - Intrusion Detection: Implement intrusion detection systems (IDS) to detect and alert on suspicious PUT requests.
- Behavioral Analysis: Use behavioral analysis tools to identify anomalous behavior that may indicate an exploitation attempt.
Conclusion: CVE-2024-28253 represents a critical vulnerability in the OpenMetadata platform that can lead to RCE. Immediate action is required to upgrade to the patched version and implement robust security measures to prevent future exploitation. Regular security audits and proactive monitoring are essential to maintain a strong cybersecurity posture.