CVE-2024-57971 - DataSourceResource.java in Knowage Server allows JNDI Injection due to Incorrect Validation of JNDI Names

A recent vulnerability (CVE-2024-57971) has been discovered in the Knowage Server, specifically in the implementation of the SpagoBI API support in DataSourceResource.java file. The issue stems from insufficient validation of JNDI (Java Naming and Directory Interface) names, which fails to ensure the presence of the "java:comp/env/jdbc/" prefix at the beginning of these names. This vulnerability affects all KNOWAGE versions up to and including 8.1.29. Exploiting this vulnerability may allow an attacker to perform malicious actions, such as remote code execution or unauthorized data access.

Details

The vulnerability is found in the DataSourceResource.java file in the SpagoBI API support for the Knowage Server. Due to insufficient validation of JNDI names, it fails to ensure the "java:comp/env/jdbc/" prefix at the beginning of JNDI names. As a result, malicious JNDI names can be injected, which could potentially enable attackers to execute arbitrary remote code or gain unauthorized access to sensitive data.

Reference: CVE-2024-57971

Exploit

To exploit this vulnerability, an attacker could craft a malicious request to the affected Knowage Server, using a specially formatted JNDI name that does not possess the required "java:comp/env/jdbc/" prefix. The injected JNDI name could then enable an attacker to execute arbitrary remote code or gain unauthorized access to sensitive data.

Code snippet from DataSourceResource.java

private void checkJndiName(String jndiName) throws BadRequestException {
  if (!jndiName.startsWith("java:comp/env/jdbc/")) {
    throw new BadRequestException("JNDI Name should start with 'java:comp/env/jdbc/'");
  }
}

The above code snippet showcases the incorrect validation of JNDI names, as it fails to verify if the required "java:comp/env/jdbc/" prefix is present at the start of the JNDI Name.

Mitigation

To mitigate this vulnerability, users of Knowage Server are advised to upgrade their installations to version 8.1.30 or later, which introduces proper validation of JNDI names, ensuring that they contain the appropriate "java:comp/env/jdbc/" prefix.

It is also recommended to closely monitor logs and access patterns for any signs of potential exploitation or suspicious activity.

Conclusion

CVE-2024-57971 is a critical security vulnerability that affects the Knowage Server. By not validating the JNDI names correctly, it opens the door for potential attackers to exploit the system and conduct malicious actions, such as remote code execution or unauthorized data access. Users are urged to upgrade their Knowage installations to version 8.1.30 or later, and maintain vigilance in monitoring server logs and patterns to safeguard against threats.

Timeline

Published on: 02/16/2025 04:15:23 UTC
Last modified on: 03/21/2025 14:15:15 UTC