Graylog Security Patch: Session ID Leak

Graylog recently discovered a Session ID leak in the Graylog DEBUG log file and audit log. This presents a risk of unauthorized privilege escalation with active and previously active session IDs running Graylog. To mitigate the issue, we have published Graylog v3.3.14, 4.0.10, and Graylog v4.1.2.

To avoid any potential security risks, we strongly recommend that all users of Graylog upgrade as soon as possible. In addition, we would encourage administrators to go back and review users to confirm there was no exposure.

DETAILS ON THE SESSION ID LEAK

David Herbstmann recently brought to our attention a vulnerability in Graylog’s Session IDs–i.e., a leak in the Graylog DEBUG log file as well as the audit log. The ID is printed in DEBUG level log messages (DEBUG is not enabled by default) and the Graylog Enterprise Audit Log. By default, the Graylog Audit Log is only logging to the local database and only accessible by Graylog administrators. The risk here is a user can take over a session ID to authenticate against Graylog, and once they’ve done so, the user has access to all the permissions associated with the owner of the session ID.

For further information, we want to share the following CVE IDs that have been assigned:

CVE – CVE-2021-37759

CVE – CVE-2021-37760

NOTE: CVE® is a list of records — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

WHY UPGRADE?

When you upgrade your Graylog platform to the latest version, Graylog will stop writing the session IDs to the DEBUG log and the audit log and also invalidate all of the open sessions. Note that you will need to manually delete all open sessions from MongoDB if you cannot upgrade to the latest version.

STEPS TO MANUALLY DELETE SESSION IDS

If you are unable to upgrade to any of the new versions, you can remove all sessions from MongoDB using the following instructions:

  1. Log into your instance running MongoDB
  2. Log into MongoDB using the mongo shell
  3. Select the Graylog collection using the command: use graylog
  4. Verify any active sessions using: db.sessions.find({expired : false})
  5. Delete any active sessions using: db.sessions.deleteMany({ expired : false })
  6. Validate that there are no active sessions using: db.sessions.find({})

Note that the session IDs will leak until you upgrade.

AFFECTED VERSIONS

  • Local DEBUG log file session ID leak: since Graylog v0.20.0
  • Audit log session ID leak: since Graylog v2.1.1

RELEASE NOTES FOR DOWNLOAD LINKS

Graylog v4.1.2

Graylog v4.0.10

Graylog v3.3.14

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.