CVE CyberSecurity Database News

CVE-2024-57971 - How a Small Validation Fault in DataSourceResource.java Breaks Database Security in Knowage Server

Poster -

CVE-2024-57971 is a scary-sounding number if you run a Knowage Business Intelligence (BI) server. This serious vulnerability in versions _before 8.1.30_ means an attacker could connect your server to pretty much any database they want—even those you never meant to expose. The root cause? A little bit of sloppy checking in the DataSourceResource.java file.

In this article, we'll walk through the bug in simple terms, examine the relevant code, show you how an exploit might work, and point you to official sources for more reading.

What’s Going On?

KNOWAGE (and its earlier brand, SpagoBI) lets admins define database data sources using JNDI names. Normally, a JNDI name should always start with:

java:comp/env/jdbc/

Think of that as KNOWAGE saying, “I’m only hooking up to the local, *predefined* database connections.”

The Problem

The API didn’t actually check that the JNDI name _fully_ began with that “safe” string. An attacker could pass in a sneaky JNDI name (like ldap://attacker.com/db) and trick Knowage into connecting to their malicious service. This could lead to data leaks, credential theft, or even remote code execution, depending on the underlying application server.

The Faulty (but Educational!) Code

Here's a simplified snippet to show what went wrong. Imagine inside DataSourceResource.java, a method looked like this:

// BAD: Only checks if the string contains, not if it starts with!
if (jndiName.contains("java:comp/env/jdbc/")) {
    dataSource.setJndiName(jndiName);
    // All good, proceed...
} else {
    // Reject the name
}

Why is this dangerous?

Because abcjava:comp/env/jdbc/evil or ldap://localhost/java:comp/env/jdbc/ would BOTH be treated as valid. It only looks for the string anywhere, not at the start.

The code needs to check the _beginning_ of the string only

// GOOD: Assures the JNDI name starts with the safe string
if (jndiName.startsWith("java:comp/env/jdbc/")) {
    dataSource.setJndiName(jndiName);
    // This actually guarantees a safe, local JNDI resource.
} else {
    // Reject the unsafe name
}

`

ldap://evil.com/malicious

`

or

`

rmi://attacker-server/mydb

Or a serialized object to exploit Java deserialization (worst case: remote code execution).

Result: Attacker can read or control sensitive information on the server.


## How to Fix / Patch

If you're stuck on an older version, audit your DataSourceResource.java for anything that uses JNDI names. Replace contains() with startsWith(). Even better: upgrade to Knowage 8.1.30 or newer.

Official References

- CVE Record: CVE-2024-57971
- KNOWAGE Release Notes 8.1.30
- JNDI Injection Cheat Sheet (OWASP)

Summary

A little code mistake in Knowage—using .contains() instead of .startsWith()—broke a core security boundary, letting attackers specify dangerous, remote JNDI names. If you run Knowage before 8.1.30, read the CVE, patch ASAP, and always be careful with user input in security-critical systems.


Want to see the knowage server fix? Check the GitHub commit here. (for illustration, not a real link)

Timeline

Published on: 02/16/2025 04:15:23 UTC
Last modified on: 03/21/2025 14:15:15 UTC