CVE-2024-50311
📋 TL;DR
This CVE describes a denial-of-service vulnerability in OpenShift's GraphQL batching functionality. Attackers can send requests containing thousands of aliases in a single query, causing excessive resource consumption that makes the application unavailable to legitimate users. This affects OpenShift deployments with GraphQL endpoints exposed.
💻 Affected Systems
- Red Hat OpenShift Container Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability for extended periods, affecting all users and potentially disrupting business operations.
Likely Case
Temporary service degradation or intermittent outages affecting user access to OpenShift services.
If Mitigated
Minimal impact with proper rate limiting and resource controls in place.
🎯 Exploit Status
Exploitation requires sending specially crafted GraphQL queries with excessive aliases. No authentication needed if endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check RHSA-2024:6122 for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:6122
Restart Required: Yes
Instructions:
1. Review RHSA-2024:6122 advisory. 2. Update OpenShift to the patched version specified in the advisory. 3. Restart affected services/components. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Implement GraphQL Query Complexity Limits
allConfigure GraphQL server to limit query complexity, depth, and alias count
# Configuration depends on GraphQL implementation. For graphql-java: graphql.execution.preparsed.persisted.PreparsedDocumentProvider with complexity limits
Rate Limiting at API Gateway
linuxImplement rate limiting on GraphQL endpoints to prevent abuse
# Example using nginx: limit_req_zone $binary_remote_addr zone=gql:10m rate=10r/s;
# Then apply to location block: limit_req zone=gql burst=20 nodelay;
🧯 If You Can't Patch
- Implement network-level controls to restrict access to GraphQL endpoints
- Deploy Web Application Firewall (WAF) with GraphQL attack detection rules
🔍 How to Verify
Check if Vulnerable:
Check OpenShift version against affected versions in RHSA-2024:6122. Test by attempting to send GraphQL queries with excessive aliases.Check Version:
oc versionVerify Fix Applied:
After patching, verify the fix by attempting to send malicious queries and confirming they are rejected or limited.📡 Detection & Monitoring
Log Indicators:
- Unusually large GraphQL requests
- High CPU/memory usage on GraphQL endpoints
- Multiple failed requests with similar patterns
Network Indicators:
- Bursts of traffic to GraphQL endpoints
- Large HTTP POST requests to GraphQL URLs
SIEM Query:
source="openshift" AND (url_path="/graphql" OR url_path="/api/graphql") AND http_request_size > 100000