CVE-2023-31065
📋 TL;DR
This CVE describes an Insufficient Session Expiration vulnerability in Apache InLong where old sessions remain valid even after user deletion or password changes. Attackers can hijack these sessions to gain unauthorized access. Affects Apache InLong versions 1.4.0 through 1.6.0.
💻 Affected Systems
- Apache InLong
📦 What is this software?
Inlong by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent administrative access to InLong clusters, enabling data exfiltration, system manipulation, or complete compromise of data ingestion pipelines.
Likely Case
Unauthorized access to InLong management interfaces leading to data pipeline manipulation, configuration changes, or data access.
If Mitigated
Limited impact with proper network segmentation and monitoring, but session hijacking remains possible for authenticated users.
🎯 Exploit Status
Exploitation requires obtaining a valid session token, but once obtained, the attack is straightforward. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf
Restart Required: Yes
Instructions:
1. Upgrade Apache InLong to version 1.7.0 or later. 2. Alternatively, apply patches from GitHub PRs #7836 and #7884 to existing installations. 3. Restart all InLong services after patching.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to minimize window for session hijacking
Modify session.timeout configuration in InLong properties files
Network Segmentation
allRestrict access to InLong management interfaces to trusted networks only
Configure firewall rules to limit access to InLong ports (default 8080, 8081)
🧯 If You Can't Patch
- Implement strict network access controls to limit InLong interface exposure
- Deploy session monitoring and alerting for unusual session activity
🔍 How to Verify
Check if Vulnerable:
Check InLong version via web interface or configuration files. Versions 1.4.0-1.6.0 are vulnerable.Check Version:
Check InLong web interface or examine version in configuration filesVerify Fix Applied:
Verify version is 1.7.0 or later, or confirm patches from PRs #7836 and #7884 are applied.📡 Detection & Monitoring
Log Indicators:
- Multiple sessions from same user with different IPs
- Session activity after user deletion/password change
- Unusual access patterns to management interfaces
Network Indicators:
- Unexpected connections to InLong management ports
- Session tokens being reused across different source IPs
SIEM Query:
source="inlong" AND (event="session_created" OR event="user_auth") | stats count by user, src_ip | where count > 1