What are the critical security vulnerabilities identified in OpenMetadata?

Critical security vulnerabilities identified in OpenMetadata allow for remote code execution and authentication bypass attacks. These issues are tracked under CVE-2024-28253 (CVSS score 9.4), CVE-2024-28847 (CVSS score 8.8), CVE-2024-28254 (CVSS score 8.8), CVE-2024-28848 (CVSS score 8.8), and CVE-2024-28255 (CVSS score 9.8). The first four vulnerabilities stem from improper handling of the Spring Expression Language (SpEL), while the last one involves OpenMetadata's handling of JSON Web Tokens (JWT).

How can the identified vulnerabilities in OpenMetadata be exploited?

The vulnerabilities related to SpEL expressions can be exploited by an authenticated user through crafted requests containing malicious SpEL expressions that the application executes. The vulnerability involving JWT allows attackers to bypass authentication checks by inserting specific path traversal sequences in API requests, exploiting the JwtFilter component.

Advisory

Security vulnerabilities reported in OpenMetadata platform, including two critical

Q: What actions has OpenMetadata taken to address these vulnerabilities?

OpenMetadata released patches for these vulnerabilities as part of their December 2023 update. Entities utilizing OpenMetadata are urged to immediately update to the latest version containing the patches and to conduct a thorough review of their security measures.

published: March 21, 2024

Take action: If you are using OpenMetadata in your infrastructure, time to review the current setup. You have a bit of time because the exploits require authentication. First check whether you can lock it down and isolate it from public internet. Then apply patches, but don't delay. Someone with access will be hacked.

Learn More

Security vulnerabilities of critical severity were identified in OpenMetadata, an open-source metadata management platform. The vulnerabilities allow for remote code execution and authentication bypass attacks on OpenMetadata deployments.

These issues are tracked under five distinct CVE identifiers:

CVE-2024-28253 (CVSS score 9.4)
CVE-2024-28847 (CVSS score 8.8)
CVE-2024-28254 (CVSS score 8.8)
CVE-2024-28848 (CVSS score 8.8)
CVE-2024-28255 (CVSS score 9.8)

The first four vulnerabilities are caused by the improper handling of the Spring Expression Language (SpEL) within OpenMetadata. SpEL allows for the integration of executable expressions directly in the application's code. It was found that several API endpoints within OpenMetadata did not adequately sanitize user-supplied SpEL expressions. This oversight enables attackers to submit crafted requests with malicious SpEL expressions that could lead to arbitrary code execution on the hosting system. The specific endpoints affected include:

GET /api/v1/events/subscriptions/validation/condition/
PUT /api/v1/events/subscriptions
GET /api/v1/policies/validation/condition/
PUT /api/v1/policies

These vulnerabilities could be exploited by an authenticated user through crafted requests containing malicious SpEL expressions, which the application would then execute.

The final vulnerability (CVE-2024-28255) is within OpenMetadata's handling of JSON Web Tokens (JWT). This flaw could allow attackers to bypass authentication checks by inserting specific path traversal sequences in API requests, exploiting the JwtFilter component.

Although exploitation of these vulnerabilities requires authenticated access, patching is advised. OpenMetadata released patches for the vulnerabilities as part of their December 2023 update. The project has requested additional time before full public disclosure to enable users to apply these critical patches across their deployments.

Entities utilizing OpenMetadata are urged to immediately update to the latest version containing the patches and to conduct a thorough review of their security measures.

Security vulnerabilities reported in OpenMetadata platform, including two critical