Description
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS Score:
83%
Comprehensive Technical Analysis of EUVD-2024-1147
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
The vulnerability in OpenMetadata, identified as EUVD-2024-1147, involves a Remote Code Execution (RCE) risk due to improper handling of Spring Expression Language (SpEL) expressions. Specifically, the CompiledRule::validateExpression method is called from PolicyRepository.prepare, which in turn is invoked by EntityRepository.prepareInternal() and subsequently by EntityResource.createOrUpdate(). The authorization check (authorizer.authorize()) occurs after the SpEL expression evaluation, allowing unauthorized code execution.
Severity Evaluation:
- CVSS Base Score: 9.4
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
The high CVSS score indicates a critical vulnerability due to the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): Low (L)
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- An attacker can exploit this vulnerability by sending a crafted PUT request to the
/api/v1/policiesendpoint. - The malicious SpEL expression can be injected into the request, leading to arbitrary code execution on the server.
Exploitation Methods:
- SpEL Injection: The attacker can inject SpEL expressions that are evaluated by the server, allowing for the execution of arbitrary code.
- Unauthorized Access: Since the authorization check occurs after the SpEL expression evaluation, an attacker can bypass authorization controls.
3. Affected Systems and Software Versions
Affected Systems:
- OpenMetadata versions prior to 1.3.1 are vulnerable.
Software Versions:
- All versions of OpenMetadata before 1.3.1.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade: Users are strongly advised to upgrade to OpenMetadata version 1.3.1 or later, which addresses this vulnerability.
Additional Mitigation:
- Input Validation: Implement robust input validation to sanitize and validate all user inputs, especially those that could contain SpEL expressions.
- Authorization Checks: Ensure that authorization checks are performed before any potentially dangerous operations, such as expression evaluation.
- Monitoring: Implement monitoring and logging to detect and respond to any suspicious activities or unauthorized access attempts.
5. Impact on European Cybersecurity Landscape
Impact Analysis:
- Data Breach: The vulnerability can lead to unauthorized access and potential data breaches, compromising sensitive information.
- Service Disruption: The execution of arbitrary code can disrupt services, leading to downtime and potential financial losses.
- Compliance Risks: Organizations may face compliance issues if sensitive data is compromised, especially under regulations like GDPR.
European Context:
- Critical Infrastructure: Organizations using OpenMetadata in critical infrastructure sectors (e.g., healthcare, finance) are at high risk.
- Regulatory Compliance: European organizations must ensure compliance with GDPR and other relevant regulations, making timely mitigation crucial.
6. Technical Details for Security Professionals
Code Analysis:
- Vulnerable Code Path:
PolicyResource.createOrUpdate()handles PUT requests to/api/v1/policies.EntityResource.createOrUpdate()callsEntityRepository.prepareInternal().EntityRepository.prepareInternal()callsPolicyRepository.prepare().PolicyRepository.prepare()callsCompiledRule::validateExpression.
Exploitation Details:
- SpEL Injection Point: The SpEL expression is evaluated in
CompiledRule::validateExpressionbefore the authorization check. - Authorization Bypass: The authorization check (
authorizer.authorize()) is performed after the SpEL expression evaluation, allowing unauthorized code execution.
References:
- GitHub Security Advisory
- NVD Detail
- CodeQL Query Help
- OpenMetadata GitHub Repository
- Security Lab Advisory
Conclusion: This vulnerability poses a significant risk to organizations using OpenMetadata. Immediate action, including upgrading to the patched version and implementing additional security measures, is essential to mitigate the risk of Remote Code Execution and potential data breaches.