CVE-2024-55238
📋 TL;DR
OpenMetadata versions up to 1.4.1 contain a SQL injection vulnerability in the WorkflowDAO interface's listCount function. Attackers can exploit the workflowtype and status parameters to execute arbitrary SQL queries and extract sensitive database information. This affects all deployments running vulnerable OpenMetadata versions.
💻 Affected Systems
- OpenMetadata
📦 What is this software?
Openmetadata by Open Metadata
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of sensitive metadata, user credentials, and potential privilege escalation to execute arbitrary database operations.
Likely Case
Unauthorized data extraction from OpenMetadata database including user information, configuration data, and metadata about data assets.
If Mitigated
Limited impact with proper input validation and database permission restrictions, potentially only allowing data viewing without modification.
🎯 Exploit Status
Proof of concept available in GitHub gist, exploitation requires access to vulnerable endpoint but SQL injection is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.4.1
Vendor Advisory: https://github.com/open-metadata/OpenMetadata/security/advisories
Restart Required: Yes
Instructions:
1. Upgrade OpenMetadata to version 1.4.2 or later. 2. Restart the OpenMetadata service. 3. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or input validation to block SQL injection patterns in workflowtype and status parameters
Database Permission Restriction
allLimit database user permissions to read-only for the OpenMetadata application account
🧯 If You Can't Patch
- Implement network segmentation to restrict access to OpenMetadata endpoints
- Deploy web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check OpenMetadata version via admin interface or by examining deployment configuration. Versions <= 1.4.1 are vulnerable.Check Version:
Check OpenMetadata UI admin panel or deployment configuration files for version informationVerify Fix Applied:
After upgrade, verify version is > 1.4.1 and test the vulnerable endpoint with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or parameter manipulation in application logs
- Unexpected database connections from OpenMetadata application
Network Indicators:
- SQL keywords in HTTP parameters to OpenMetadata endpoints
- Unusual data volume from OpenMetadata database queries
SIEM Query:
source="openmetadata" AND (http.uri="*workflow*" AND (http.param="*SELECT*" OR http.param="*UNION*" OR http.param="*OR*"))🔗 References
- https://gist.github.com/javadk/68c597cdb94768dab31a3219c2ad9904
- https://github.com/open-metadata/OpenMetadata/blob/98945cb2db87ebb325d3a72131f049abffcba345/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4243
- https://github.com/open-metadata/OpenMetadata/blob/98945cb2db87ebb325d3a72131f049abffcba345/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/CollectionDAO.java#L4247
- https://gist.github.com/javadk/68c597cdb94768dab31a3219c2ad9904
