Insufficient Session Expiration Affecting org.graylog2:graylog2-server package, versions [1.0,5.0.9) [5.1.0,5.1.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGGRAYLOG2-5759290
- published 7 Jul 2023
- disclosed 6 Jul 2023
- credit thll
Introduced: 6 Jul 2023
CVE-2023-41041 Open this link in a new tabHow to fix?
Upgrade org.graylog2:graylog2-server to version 5.0.9, 5.1.3 or higher.
Overview
org.graylog2:graylog2-server is a log management platform.
Affected versions of this package are vulnerable to Insufficient Session Expiration such that in a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. After a user has logged out, the UI shows the login screen again, which gives the user the impression that their session is not valid anymore. However, if the session becomes compromised later, it can still be used to perform API requests against the Graylog cluster. The time frame for this is limited to the configured session lifetime, starting from the time when the user logged out.
PoC
In a 2-node setup, with both nodes behind a load balancer:
Log in
Extract the session ID from the cookie
Log out and close the browser
Perform the following API request repeatedly with curl (with
<session-id>replaced with the session id from step 2 and<lb-host>replaced with the hostname of your load balancer):
curl -I -H X-Graylog-No-Session-Extension:true https://<session-id>:session@<lb-host>/api/system/cluster/nodes
- Notice that the request is sometimes rejected, but sometimes succeeds