CVE-2024-39901
📋 TL;DR
This vulnerability in OpenSearch Observability plugins allows unauthorized users to access private tenant resources like notebooks. It affects OpenSearch deployments using observability plugins where private tenant resources exist. The issue occurs because the system fails to properly verify if the requesting user is the resource author.
💻 Affected Systems
- OpenSearch Observability plugins
📦 What is this software?
Observability by Opensearch
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could access sensitive notebooks and data stored in private tenants, potentially exposing confidential information, intellectual property, or operational data.
Likely Case
Internal users with access to the OpenSearch cluster could inadvertently or intentionally access other users' private notebooks and resources.
If Mitigated
With proper access controls and network segmentation, impact is limited to authenticated users within the same security domain.
🎯 Exploit Status
Exploitation requires valid user credentials and knowledge of resource identifiers in private tenants.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSearch 2.14
Vendor Advisory: https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33
Restart Required: Yes
Instructions:
1. Backup your OpenSearch configuration and data. 2. Upgrade OpenSearch to version 2.14 or later. 3. Restart the OpenSearch service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable private tenant access
allTemporarily disable access to private tenant resources until patching can be completed.
# Modify OpenSearch configuration to restrict private tenant access
# Consult OpenSearch documentation for specific configuration changes
Implement network segmentation
linuxRestrict access to OpenSearch Observability endpoints to authorized users only.
# Configure firewall rules to limit access
# Example: iptables -A INPUT -p tcp --dport 9200 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict access controls and audit logging for all OpenSearch Observability access
- Monitor for unauthorized access attempts to private tenant resources
🔍 How to Verify
Check if Vulnerable:
Check OpenSearch version: curl -X GET 'http://localhost:9200/' | grep number. If version is below 2.14 and observability plugins are enabled, system is vulnerable.Check Version:
curl -X GET 'http://localhost:9200/'Verify Fix Applied:
After upgrading to OpenSearch 2.14, verify version and test that private tenant resources are properly access-controlled.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to private tenant resources
- Access patterns showing users accessing resources they didn't create
Network Indicators:
- Unusual API calls to observability endpoints from unexpected sources
SIEM Query:
source="opensearch" AND ("observability" OR "private tenant") AND (status="200" OR status="403") | stats count by user, resource🔗 References
- https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e
- https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33
- https://opensearch.org/versions/opensearch-2-14-0.html
- https://github.com/opensearch-project/observability/commit/014423178f8f61d90442dde03cbdcd754c70a84e
- https://github.com/opensearch-project/observability/security/advisories/GHSA-77vc-rj32-2r33
- https://opensearch.org/versions/opensearch-2-14-0.html
