CVE-2024-45106
📋 TL;DR
This vulnerability in Apache Ozone's S3 Gateway allows any authenticated Kerberos user to revoke and regenerate S3 secrets of any other user, potentially causing denial of service or privilege escalation. It affects Apache Ozone 1.4.0 installations with specific configurations enabled. Organizations using Ozone for S3-compatible storage with Kerberos authentication are at risk.
💻 Affected Systems
- Apache Ozone
📦 What is this software?
Ozone by Apache
⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised Kerberos account could revoke S3 access for all users, causing complete denial of service for S3 operations and potentially gaining unauthorized access to other users' data.
Likely Case
Unauthorized user revocation of S3 secrets leading to service disruption for targeted users, requiring manual secret regeneration and potential data access issues.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with quick detection of unauthorized secret revocation attempts.
🎯 Exploit Status
Requires Kerberos authentication and specific configuration settings. Attacker needs valid Kerberos credentials and knowledge of target user's identity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Ozone 1.4.1
Vendor Advisory: https://lists.apache.org/thread/rylnxwttp004kvotpk9j158vb238pfkm
Restart Required: No
Instructions:
1. Download Apache Ozone 1.4.1 from official Apache mirrors. 2. Stop Ozone services. 3. Replace existing installation with 1.4.1 binaries. 4. Start Ozone services. 5. Verify functionality.
🔧 Temporary Workarounds
Disable vulnerable HTTP endpoint
allSet ozone.s3g.secret.http.enabled to false to disable the affected endpoint
ozone s3g --set ozone.s3g.secret.http.enabled=false
Remove administrative privileges
allEnsure the user in ozone.s3g.kerberos.principal is NOT in ozone.s3.administrators or ozone.administrators
ozone admin --remove-admin <principal>
🧯 If You Can't Patch
- Implement both workarounds: disable the HTTP endpoint and remove administrative privileges from the Kerberos principal
- Implement strict network segmentation and firewall rules to limit access to Ozone S3 Gateway endpoints
🔍 How to Verify
Check if Vulnerable:
Check if running Ozone 1.4.0 AND ozone.s3g.secret.http.enabled=true AND ozone.s3g.kerberos.principal user is in administrative groupsCheck Version:
ozone versionVerify Fix Applied:
Verify Ozone version is 1.4.1 or later using 'ozone version' command📡 Detection & Monitoring
Log Indicators:
- Unexpected S3 secret revocation events
- Multiple failed S3 authentication attempts after secret changes
- HTTP POST requests to /secret/revoke or /secret/regenerate endpoints
Network Indicators:
- Unusual HTTP traffic to Ozone S3 Gateway secret management endpoints
- Multiple Kerberos authentication requests from single source
SIEM Query:
source="ozone.log" AND ("secret/revoke" OR "secret/regenerate") AND NOT user="expected_admin"