This patch release fixes a security issue in Graylog v4.1.2. The information below includes important details about this release.

IMPORTANT NOTE: We recommend that all users of Graylog upgrade as soon as possible.

DOWNLOAD LINKS for v4.1.2

Tarballs (manual installation):

SESSION ID LEAK IN GRAYLOG DEBUG LOG FILE AND AUDIT LOG

We recently discovered a session ID leak in the Graylog DEBUG log file as well as the audit log. This means a user can take over a session ID to authenticate against Graylog, and once they’ve done so, the user has access to all the permissions associated with the owner of the session ID.

The ID was printed in DEBUG level log messages (DEBUG is not enabled by default) as well as the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators.

We would like to thank David Herbstmann for discovering and responsibly disclosing this vulnerability.

AFFECTED VERSIONS

  • Local DEBUG log file session ID leak: since Graylog v0.20.0
  • Audit log session ID leak: since Graylog v2.1.1

DISCLOSURE TIMELINE

July 26 2021: Vulnerability reported to Graylog by David Herbstmann

July 26 2021: Vulnerability confirmed by Graylog

July 28 2021: Patch is ready and new release is built

July 30 2021: Release available to the public

GUIDELINES TO RESOLVE THIS ISSUE

When you update to the new version, Graylog will invalidate all of the open sessions. If you are unable to upgrade to the latest version, you will need to manually delete each open session from MongoDB.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.