CVE-2024-24824
📋 TL;DR
This vulnerability in Graylog allows authenticated users with appropriate permissions to load and instantiate arbitrary Java classes via HTTP PUT requests to the cluster config endpoint. This can lead to remote code execution during class instantiation or information disclosure when specific classes like java.io.File are used. Affected versions are Graylog 2.0.0 through 5.1.10 and 5.2.0 through 5.2.3.
💻 Affected Systems
- Graylog
📦 What is this software?
Graylog by Graylog
Graylog by Graylog
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the environment.
Likely Case
Information disclosure through file reading using java.io.File class instantiation, potentially exposing sensitive configuration files or logs.
If Mitigated
Limited impact if proper authentication and authorization controls prevent unauthorized access to the vulnerable endpoint.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is well-documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.11 and 5.2.4
Vendor Advisory: https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj
Restart Required: Yes
Instructions:
1. Backup your Graylog configuration and data. 2. Upgrade to Graylog 5.1.11 if using 5.1.x series. 3. Upgrade to Graylog 5.2.4 if using 5.2.x series. 4. Restart the Graylog service. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
Restrict access to cluster config endpoint
allUse network controls or web application firewall to block access to /api/system/cluster_config/ endpoint from unauthorized users.
Implement strict authentication and authorization
allEnsure only absolutely necessary users have permissions to modify cluster configuration.
🧯 If You Can't Patch
- Implement network segmentation to isolate Graylog instances from sensitive systems
- Enable detailed logging and monitoring for suspicious PUT requests to /api/system/cluster_config/
🔍 How to Verify
Check if Vulnerable:
Check Graylog version via web interface or API. If version is between 2.0.0-5.1.10 or 5.2.0-5.2.3, system is vulnerable.Check Version:
curl -u admin:password http://graylog-server:9000/api/system | grep versionVerify Fix Applied:
After patching, verify version is 5.1.11 or higher for 5.1.x series, or 5.2.4 or higher for 5.2.x series.📡 Detection & Monitoring
Log Indicators:
- HTTP PUT requests to /api/system/cluster_config/ with unusual class names
- Java class loading errors in Graylog logs
- Unexpected file read operations
Network Indicators:
- HTTP PUT requests to /api/system/cluster_config/ endpoint
- Unusual outbound traffic from Graylog server
SIEM Query:
source="graylog" AND (uri_path="/api/system/cluster_config/" AND http_method="PUT")🔗 References
- https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214
- https://github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8
- https://github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9
- https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj
- https://github.com/Graylog2/graylog2-server/blob/e458db8bf4f789d4d19f1b37f0263f910c8d036c/graylog2-server/src/main/java/org/graylog2/rest/resources/system/ClusterConfigResource.java#L208-L214
- https://github.com/Graylog2/graylog2-server/commit/75ef2b8d60e7d67f859b79fe712c8ae7b2e861d8
- https://github.com/Graylog2/graylog2-server/commit/7f8ef7fa8edf493106d5ef6f777d4da02c5194d9
- https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-p6gg-5hf4-4rgj
