Login Sign Up

CVE-2023-31098

9.8 CRITICAL

📋 TL;DR

Apache InLong versions 1.1.0 through 1.6.0 have weak password requirements that allow users to set simple passwords. Attackers can easily guess these passwords and gain unauthorized access to user accounts. This affects all deployments using vulnerable versions of Apache InLong.

💻 Affected Systems

Products:
  • Apache InLong
Versions: 1.1.0 through 1.6.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Inlong by Apache

View all CVEs affecting Inlong →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the InLong system, potentially compromising all data pipelines, stealing sensitive data, and using the system as a foothold for further attacks.

🟠

Likely Case

Attackers gain access to user accounts with standard privileges, allowing them to view, modify, or delete data pipelines and potentially escalate privileges.

🟢

If Mitigated

With strong password policies and monitoring, impact is limited to failed login attempts and alerts.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to password guessing attacks from anywhere.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires password guessing/brute-force attacks which are trivial to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0

Vendor Advisory: https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w

Restart Required: Yes

Instructions:

1. Backup your configuration and data. 2. Upgrade to Apache InLong 1.7.0. 3. Restart all InLong services. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Enforce Strong Password Policy

all

Implement external password policy enforcement through LDAP/AD integration or custom authentication modules.

Enable Account Lockout

all

Configure account lockout after failed login attempts to prevent brute-force attacks.

🧯 If You Can't Patch

  • Implement network segmentation and restrict access to InLong instances to trusted IPs only.
  • Enable detailed authentication logging and monitor for failed login attempts and password changes.

🔍 How to Verify

Check if Vulnerable:

Check InLong version via web interface or configuration files. Versions 1.1.0-1.6.0 are vulnerable.

Check Version:

Check version in web UI or examine application configuration files for version information.

Verify Fix Applied:

After upgrading to 1.7.0, verify that password changes now enforce complexity requirements.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from single IP
  • Successful logins after many failures
  • Password change events to simple passwords

Network Indicators:

  • High volume of authentication requests to InLong endpoints
  • Traffic patterns consistent with brute-force tools

SIEM Query:

source="inlong" AND (event_type="authentication_failure" OR event_type="password_change") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2023-31098
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-521
Published: May 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31098, you might also want to check these:

CVE-2021-20418 9.8

IBM Security Guardium 11.2 has a weak default password policy that doesn't enforce strong passwords,...

Same vulnerability type (CWE-521)
CVE-2021-41296 9.8

ECOA BAS controllers use weak default administrative credentials that can be easily guessed in remot...

Same vulnerability type (CWE-521)
CVE-2020-29591 9.8

This vulnerability allows remote attackers to gain root access to Docker registry containers by usin...

Same vulnerability type (CWE-521)