CVE-2024-28253 Scanner

OpenMetaData is commonly deployed by organizations to ensure efficient data management through discovery, observability, and governance solutions. It serves a diverse range of industries, offering centralized metadata repository services which include in-depth lineage tracking and collaborations among various teams. Through its specialized features, OpenMetaData is instrumental in unifying data insights, thereby optimizing organizations' data governance strategies. A wide number of digital enterprises and data stewards rely on this platform for systemizing metadata operations and enhancing decision-making processes. Its versatility finds applications in multiple contexts, from small-scale team operations to large, complex enterprise ecosystems. OpenMetaData's ability to provide seamless data management makes it a preferred choice among data-driven enterprises seeking to scale efficiently.

The vulnerability in this scenario involves a Remote Code Execution (RCE) flaw identified in the OpenMetaData software. This critical flaw allows attackers to execute arbitrary code remotely, posing significant risks if exploited. The SpEL injection within the PUT method to /api/v1/policies is the root cause, enabling execution commands potentially leading to a full system compromise. Such vulnerabilities can bypass authorization checks, making systems highly susceptible to control by unauthorized entities. Addressing such issues is crucial, as leaving them unpatched can expose systems to external threats and facilitate unauthorized access to sensitive data. The detection of RCE vulnerabilities within OpenMetaData emphasizes the need for prompt and adequate security responses to mitigate associated risks.

In technical terms, the RCE vulnerability manifests from improper handling of SpEL injection vulnerabilities within OpenMetaData, specifically in its "/api/v1/policies" endpoint. When a malicious PUT request is made, exploiting conditional authorization checks and resulting in unauthorized code execution, attackers can exploit the system's lack of input verification. During exploitation, the system inadequately checks policy creation, allowing malicious Java operations to be executed. Vulnerable expressions, especially within the "condition" parameter of policy rules, offer points of entry for arbitrary code execution. Thus, ensuring thorough code review and validation checks, especially in dynamically generated policies, are foundational to mitigating this vulnerability.

If successfully exploited, this RCE vulnerability could lead to far-reaching consequences such as unauthorized system access and potential data breaches. Adversaries could gain control over affected systems, leading to data theft, system corruption, or further network infiltration. In extreme cases, this vulnerability might allow for lateral movement within a network, escalating privileges, and targeting additional assets. Organizations found vulnerable to such exploitation may face operational disruptions, financial loss, and reputational damage. Moreover, exposure of confidential data could result in compliance violations and loss of stakeholder trust.

REFERENCES

• https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/
• https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-7vf4-x5m2-r6gr
• https://nvd.nist.gov/vuln/detail/VE-2024-28253
• https://codeql.github.com/codeql-query-help/java/java-spel-expression-injection
• https://github.com/open-metadata/OpenMetadata/blob/b6b337e09a05101506a5faba4b45d370cc3c9fc8/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/EntityRepository.java#L693