This patch release fixes a security issue in Graylog v3.1.4. The information below includes important details about this release.
IMPORTANT NOTE: We recommend that all users of Graylog upgrade as soon as possible.
DOWNLOAD LINKS for v3.3.14
Tarballs (manual installation):
SESSION ID LEAK IN GRAYLOG DEBUG LOG FILE AND AUDIT LOG
We recently discovered a session ID leak in the Graylog DEBUG log file as well as the audit log. This means is a user can take over a session ID to authenticate against Graylog, and once they’ve done so, the user has access to all the permissions associated with the owner of the session ID.
The ID was printed in DEBUG level log messages (DEBUG is not enabled by default) as well as the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators.
We would like to thank David Herbstmann for discovering and responsibly disclosing this vulnerability.
AFFECTED VERSIONS
- Local DEBUG log file session ID leak: since Graylog v0.20.0
- Audit log session ID leak: since Graylog v2.1.1
DISCLOSURE TIMELINE
July 26 2021: Vulnerability reported to Graylog by David Herbstmann
July 26 2021: Vulnerability confirmed by Graylog
July 28 2021: Patch is ready and new release is built
July 30 2021: Release available to the public
GUIDELINES TO RESOLVE THIS ISSUE
When you update to the new version, Graylog will invalidate all of the open sessions. If you are unable to upgrade to the latest version, you will need to manually delete each open session from the MongoDB.