CVE-2021-37759
📋 TL;DR
This vulnerability allows attackers to steal session IDs from Graylog DEBUG log files, enabling them to impersonate legitimate users and gain their access privileges. All Graylog installations before version 4.1.2 with DEBUG logging enabled are affected. Attackers can escalate privileges to the level of any user whose session ID appears in the logs.
💻 Affected Systems
- Graylog
📦 What is this software?
Graylog by Graylog
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Graylog instance with administrative privileges, allowing attackers to view all logs, modify configurations, create/delete users, and potentially pivot to other systems.
Likely Case
Privilege escalation to administrative or high-privilege user accounts, enabling data exfiltration, log manipulation, and further system compromise.
If Mitigated
Limited impact if DEBUG logging is disabled or logs are properly secured with restricted access permissions.
🎯 Exploit Status
Exploitation requires access to DEBUG log files, which may be accessible via web interface, file system, or backup systems. No authentication needed to read logs if accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.2 and later
Vendor Advisory: https://www.graylog.org/post/announcing-graylog-v4-1-2
Restart Required: Yes
Instructions:
1. Backup your Graylog configuration and data. 2. Upgrade to Graylog 4.1.2 or later. 3. Restart Graylog services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable DEBUG logging
linuxDisable DEBUG logging globally to prevent session IDs from being written to log files.
Edit graylog.conf: root_logging_level = INFO
Restart Graylog: systemctl restart graylog-server
Restrict log file access
linuxSet strict file permissions on Graylog log directories to prevent unauthorized access.
chmod 640 /var/log/graylog/*
chown graylog:graylog /var/log/graylog/*
🧯 If You Can't Patch
- Disable DEBUG logging immediately and audit log file permissions
- Implement network segmentation and restrict access to Graylog instances
🔍 How to Verify
Check if Vulnerable:
Check Graylog version: dpkg -l | grep graylog-server or rpm -qa | grep graylog-server. If version is below 4.1.2 and DEBUG logging is enabled, system is vulnerable.Check Version:
graylog-server --version or check /etc/graylog/server/server.confVerify Fix Applied:
Verify Graylog version is 4.1.2 or higher and check that DEBUG logging is disabled or session IDs are not present in logs.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to DEBUG log files
- Multiple failed login attempts followed by successful login from different IP
- Session IDs appearing in DEBUG logs
Network Indicators:
- Unusual access patterns to Graylog log directories
- Multiple authentication requests from single source
SIEM Query:
source="graylog" log_level="DEBUG" AND (message="session" OR message="authentication")