CVE-2021-38283
📋 TL;DR
This vulnerability allows remote attackers to access sensitive log files in Wipro Holmes Orchestrator by exploiting a predictable /log URI. Attackers can read application logs containing potentially sensitive information without authentication. Organizations running the affected version of Wipro Holmes Orchestrator are vulnerable.
💻 Affected Systems
- Wipro Holmes Orchestrator
📦 What is this software?
Holmes by Wipro
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive information including credentials, system details, or proprietary data from log files, leading to further system compromise or data exfiltration.
Likely Case
Unauthorized users access application logs containing debugging information, error messages, or potentially sensitive operational data.
If Mitigated
With proper access controls and network segmentation, impact is limited to unauthorized log file access without further system compromise.
🎯 Exploit Status
Exploitation requires only accessing a predictable URL path without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: Not found in provided references
Restart Required: No
Instructions:
1. Check Wipro's official security advisories for patch availability. 2. If patch is available, download and apply according to vendor instructions. 3. Verify the fix by testing the /log URI access.
🔧 Temporary Workarounds
Restrict access to /log URI
allConfigure web server or application firewall to block access to the /log URI path.
# Example for Apache: RewriteRule ^/log.*$ - [F]
# Example for Nginx: location ~ ^/log { deny all; }
Implement authentication for log access
allRequire authentication for accessing any log-related endpoints.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Holmes Orchestrator to authorized users only
- Deploy a web application firewall (WAF) with rules to block access to /log URI patterns
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[target]/log or similar predictable log URI paths. If log files are accessible without authentication, the system is vulnerable.Check Version:
Check application version through admin interface or consult documentation for version identification methods.Verify Fix Applied:
After applying mitigations, attempt to access the /log URI. Access should be denied or require authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /log URI
- Multiple failed authentication attempts followed by successful /log access
Network Indicators:
- HTTP requests to /log URI from unauthorized IP addresses
- Unusual traffic patterns to log-related endpoints
SIEM Query:
source="web_server" AND (uri_path="/log" OR uri_path CONTAINS "log") AND response_code=200