CVE-2024-42361
📋 TL;DR
CVE-2024-42361 is a SQL injection vulnerability in Hertzbeat's monitoring endpoint that allows attackers to execute arbitrary SQL commands. This affects all Hertzbeat instances running version 1.6.0 or earlier with the vulnerable endpoint exposed. Attackers can potentially read, modify, or delete database contents.
💻 Affected Systems
- Hertzbeat
📦 What is this software?
Hertzbeat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized access to monitoring data, extraction of sensitive configuration information, and potential denial of service through database manipulation.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
SQL injection is well-understood and GitHub Security Lab has published detailed advisories with exploitation details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1 or later
Vendor Advisory: https://github.com/dromara/hertzbeat/security/advisories
Restart Required: Yes
Instructions:
1. Backup your Hertzbeat configuration and data. 2. Stop the Hertzbeat service. 3. Update to version 1.6.1 or later. 4. Restart the service. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests to the vulnerable endpoint.
Network Access Control
linuxRestrict access to the Hertzbeat API endpoint (/api/monitor/*) to trusted IP addresses only.
iptables -A INPUT -p tcp --dport [hertzbeat-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [hertzbeat-port] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code if modifying source is possible.
- Monitor and audit all access to the /api/monitor/{monitorId}/metric/{metricFull} endpoint for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if your Hertzbeat version is 1.6.0 or earlier and if the /api/monitor/{monitorId}/metric/{metricFull} endpoint is accessible.Check Version:
Check the Hertzbeat web interface or configuration files for version information.Verify Fix Applied:
After updating, verify the version is 1.6.1 or later and test that SQL injection attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple rapid requests to /api/monitor/* endpoints
- Requests with SQL keywords in URL parameters
Network Indicators:
- Unusual database connection patterns from application server
- Large data transfers from database to unexpected sources
SIEM Query:
source="hertzbeat" AND (url="/api/monitor/*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*"))🔗 References
- https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/manager/src/main/java/org/dromara/hertzbeat/manager/controller/MonitorsController.java#L202
- https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L242
- https://github.com/dromara/hertzbeat/blob/1f12ac9f2a1a3d86b1d476775e14174243b250a8/warehouse/src/main/java/org/dromara/hertzbeat/warehouse/store/HistoryTdEngineDataStorage.java#L295
- https://securitylab.github.com/advisories/GHSL-2023-254_GHSL-2023-256_HertzBeat/
