CVE-2023-41887
📋 TL;DR
CVE-2023-41887 is a critical remote code execution vulnerability in OpenRefine that allows unauthenticated attackers to execute arbitrary code on the server. This affects all OpenRefine instances prior to version 3.7.5. The vulnerability stems from SQL injection (CWE-89) that can be exploited to achieve code execution.
💻 Affected Systems
- OpenRefine
📦 What is this software?
Openrefine by Openrefine
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, or use the server as part of a botnet.
Likely Case
Data theft, installation of cryptocurrency miners or ransomware, creation of backdoors for persistent access, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, egress filtering, and least privilege principles are implemented, though initial compromise would still occur.
🎯 Exploit Status
The vulnerability is SQL injection that leads to RCE, making exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.5
Vendor Advisory: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
Restart Required: Yes
Instructions:
1. Download OpenRefine 3.7.5 from the official repository. 2. Stop the OpenRefine service. 3. Replace the installation with version 3.7.5. 4. Restart the OpenRefine service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to OpenRefine instances using firewall rules to only allow trusted IP addresses.
iptables -A INPUT -p tcp --dport 3333 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 3333 -j DROP
Container Isolation
allRun OpenRefine in a container with minimal privileges and no network access to sensitive systems.
docker run --name openrefine -p 3333:3333 -d openrefine/openrefine:3.7.5
🧯 If You Can't Patch
- Immediately restrict network access to only trusted IP addresses using firewall rules.
- Monitor logs for suspicious activity and implement network intrusion detection for SQL injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check the OpenRefine version. If it's below 3.7.5, it's vulnerable. Run: java -jar openrefine.jar --versionCheck Version:
java -jar openrefine.jar --versionVerify Fix Applied:
Verify the version is 3.7.5 or higher using: java -jar openrefine.jar --version📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Unexpected process execution from OpenRefine
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- SQL injection patterns in HTTP requests to OpenRefine endpoints
- Outbound connections from OpenRefine server to unusual destinations
SIEM Query:
source="openrefine.log" AND ("sql" OR "exec" OR "cmd")🔗 References
- https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
- https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
