Headline
CVE-2023-36812: Fix for #2269 and #2267 XSS vulnerability. · OpenTSDB/opentsdb@fa88d3e
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c and further refined in commit fa88d3e4b. These patches are available in the 2.4.2 release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true and remove the shell files mygnuplot.bat and mygnuplot.sh.
Expand Up
@@ -25,6 +25,7 @@
import java.util.HashSet;
import java.util.List;
import com.google.common.html.HtmlEscapers;
import net.opentsdb.core.Const;
import net.opentsdb.core.TSDB;
import net.opentsdb.graph.Plot;
Expand Down Expand Up
@@ -373,14 +374,18 @@ public void internalError(final Exception cause) {
buf.append(“\"}”);
sendReply(HttpResponseStatus.INTERNAL_SERVER_ERROR, buf);
} else {
String response = "";
if (pretty_exc != null) {
response = HtmlEscapers.htmlEscaper().escape(pretty_exc);
}
sendReply(HttpResponseStatus.INTERNAL_SERVER_ERROR,
makePage("Internal Server Error", "Houston, we have a problem",
“<blockquote>”
+ “<h1>Internal Server Error</h1>”
+ “Oops, sorry but your request failed due to a”
+ " server error.<br/><br/>"
+ “Please try again in 30 seconds.<pre>”
+ pretty_exc
+ response
+ “</pre></blockquote>”));
}
}
Expand Down Expand Up
@@ -420,14 +425,18 @@ public void badRequest(final BadRequestException exception) {
buf.append(“\"}”);
sendReply(HttpResponseStatus.BAD_REQUEST, buf);
} else {
String response = "";
if (exception.getMessage() != null) {
response = HtmlEscapers.htmlEscaper().escape(exception.getMessage());
}
sendReply(HttpResponseStatus.BAD_REQUEST,
makePage("Bad Request", "Looks like it’s your fault this time",
“<blockquote>”
+ “<h1>Bad Request</h1>”
+ “Sorry but your request was rejected as being”
+ " invalid.<br/><br/>"
+ “The reason provided was:<blockquote>”
+ exception.getMessage()
+ response
+ “</blockquote></blockquote>”));
}
}
Expand Down
Related news
This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.
### Impact OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. ### Patches Patched in [07c4641471c6f5c2ab5aab615969e97211eb50d9](https://github.com/OpenTSDB/opentsdb/commit/07c4641471c6f5c2ab5aab615969e97211eb50d9) and further refined in https://github.com/OpenTSDB/opentsdb/commit/fa88d3e4b5369f9fb73da384fab0b23e246309ba ### Workarounds Disable Gunuplot via `tsd.core.enable_ui = true` and remove the shell files https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.bat and https://github.com/OpenTSDB/opentsdb/blob/master/src/mygnuplot.sh.