CVE-2024-28848
📋 TL;DR
This vulnerability allows authenticated non-admin users in OpenMetadata to execute arbitrary system commands via SpEL expression injection. Attackers can achieve remote code execution by exploiting the /api/v1/policies/validation/condition/ endpoint. All OpenMetadata deployments before version 1.2.4 are affected.
💻 Affected Systems
- OpenMetadata
📦 What is this software?
Openmetadata by Open Metadata
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.
Likely Case
Unauthorized command execution leading to data theft, service disruption, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least privilege access controls are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.4
Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5xv3-fm7g-865r
Restart Required: Yes
Instructions:
1. Backup your OpenMetadata configuration and data. 2. Stop the OpenMetadata service. 3. Upgrade to version 1.2.4 or later using your package manager or deployment method. 4. Restart the OpenMetadata service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
No known workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Restrict network access to OpenMetadata instances using firewall rules to only allow trusted sources.
- Implement strict authentication controls and monitor for suspicious authentication attempts to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if OpenMetadata version is below 1.2.4. The vulnerability affects all versions before 1.2.4.Check Version:
Check the OpenMetadata web interface admin panel or review deployment configuration files for version information.Verify Fix Applied:
Verify the OpenMetadata version is 1.2.4 or higher and that the /api/v1/policies/validation/condition/ endpoint no longer accepts arbitrary SpEL expressions.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/v1/policies/validation/condition/ with SpEL expressions
- Multiple failed authentication attempts followed by successful authentication and policy validation requests
- System command execution logs from the OpenMetadata process
Network Indicators:
- HTTP POST requests to /api/v1/policies/validation/condition/ containing Java class references or command execution patterns
- Outbound connections from OpenMetadata server to unexpected destinations
SIEM Query:
source="openmetadata" AND (url="/api/v1/policies/validation/condition/*" OR message CONTAINS "CompiledRule.validateExpression")🔗 References
- https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L51
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L57
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5xv3-fm7g-865r
- https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L51
- https://github.com/open-metadata/OpenMetadata/blob/main/openmetadata-service/src/main/java/org/openmetadata/service/security/policyevaluator/CompiledRule.java#L57
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5xv3-fm7g-865r
