org.graylog2:graylog2-server@2.5.0 vulnerabilities

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Improper Access Control via the /api/system/cluster_config/ endpoint. An attacker can execute arbitrary code that is run during class instantiation by sending a specially crafted HTTP PUT request.

Note:

This is only exploitable if the attacker possesses the clusterconfigentry:create and clusterconfigentry:edit permissions, which are typically only granted to Admin users.

Upgrade org.graylog2:graylog2-server to version 5.1.11, 5.2.4 or higher.

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Insecure Randomness such that an external attacker could inject forged DNS responses into a Graylog's lookup table cache. Graylog seems to bind a single socket for outgoing DNS queries. That socket is bound to a random port number which is not changed again.

Upgrade org.graylog2:graylog2-server to version 5.0.9, 5.1.3 or higher.

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Insufficient Session Expiration such that in a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.

Upgrade org.graylog2:graylog2-server to version 5.0.9, 5.1.3 or higher.

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Directory Traversal. When starting Graylog with the JVM -cp classpath options, instead of using the default -jar for the bundled classes, the API REST endpoint /api-browser/.* would allow path traversal to allow reading files on the server's filesystem.

For example, when starting graylog-server like:

/usr/local/openjdk-8/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -cp /usr/share/graylog:/usr/share/graylog/graylog.jar -Dlog4j.configurationFile=/usr/share/graylog/data/config/log4j2.xml -Djava.library.path=/usr/share/graylog/lib/sigar/ -Dgraylog2.installation_source=docker org.graylog2.bootstrap.Main server -f /usr/share/graylog/data/config/graylog.conf

The use of -cp /usr/share/graylog:/usr/share/graylog/graylog.jar triggers the vulnerability.

The check for .. elements in the resulting file path for documentation resources is performed too early in the resolution process. As a result, an attacker can craft a URL that can contain .. elements and thus read files the server process has access to.

Note: This vulnerability does not apply to the standard installation methods.

Upgrade org.graylog2:graylog2-server to version 4.0.0-beta.1 or higher.

org.graylog2:graylog2-server is a log management platform.

Affected versions of this package are vulnerable to Improper Certificate Validation. It accepts LDAP server certificates whose root certificate is not in any trust store. This presents a vulnerability for man-in-the-middle attacks.

Upgrade org.graylog2:graylog2-server to version 3.3.3 or higher.