CVE-2024-3046 – This vulnerability in Eclipse Kura's LogServlet... (How to Fix)

Q: What is the severity of CVE-2024-3046?

CVE-2024-3046 has a CVSS score of 7.5 (HIGH). This vulnerability in Eclipse Kura's LogServlet allows unauthenticated attackers to retrieve device logs via specially crafted requests. The downloaded logs may contain session IDs that could enable privilege escalation attacks. This affects Eclipse Kura versions 5.0.0 through 5.4.1.

📋 TL;DR

This vulnerability in Eclipse Kura's LogServlet allows unauthenticated attackers to retrieve device logs via specially crafted requests. The downloaded logs may contain session IDs that could enable privilege escalation attacks. This affects Eclipse Kura versions 5.0.0 through 5.4.1.

💻 Affected Systems

Products:

Eclipse Kura

Versions: 5.0.0 to 5.4.1

Operating Systems: Linux-based IoT gateways

Default Config Vulnerable: ⚠️ Yes

Notes: Affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0] which is included in the specified Kura versions.

📦 What is this software?

Kura by Eclipse

View all CVEs affecting Kura →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the Kura system by extracting valid session IDs from logs, leading to complete system compromise and potential lateral movement.

🟠

Likely Case

Unauthenticated attackers access sensitive log data containing system information, configuration details, and potentially session tokens.

🟢

If Mitigated

Log exposure limited to non-sensitive information with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting specific HTTP requests to the LogServlet endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Eclipse Kura 5.4.2 or later

Vendor Advisory: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188

Restart Required: Yes

Instructions:

1. Download Eclipse Kura 5.4.2 or later from official repository. 2. Backup current configuration. 3. Stop Kura service. 4. Install updated version. 5. Restart Kura service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Kura web interface using firewall rules

iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Authentication Enforcement

all

Ensure all endpoints require authentication via web server configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kura instances from untrusted networks
Enable comprehensive logging and monitoring for unauthorized access attempts to LogServlet endpoints

🔍 How to Verify

Check if Vulnerable:

Check Kura version via web interface or command line: dpkg -l | grep kura

Check Version:

dpkg -l | grep kura-web2 || rpm -qa | grep kura

Verify Fix Applied:

Verify installed version is 5.4.2 or later and test that unauthenticated requests to LogServlet endpoints are rejected

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /log endpoints
Multiple failed authentication attempts followed by successful log access

Network Indicators:

HTTP GET requests to /log/* endpoints from unauthenticated sources
Unusual volume of log download requests

SIEM Query:

source="kura" AND (url_path="/log" OR url_path LIKE "/log/%") AND http_status=200 AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2024-3046

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-303

Published: April 9, 2024

Last Updated: February 6, 2025

🔗 References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 Issue Tracking,Vendor Advisory
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3046, you might also want to check these: