Critical Flaws Uncovered in OpenObserve: A Deep Dive into CVE-2024-25106 & CVE-2024-24830

OpenObserve is a cloud-native observability platform designed for the meticulous demands of logs, metrics, traces, analytics, and Real User Monitoring (RUM). Tailored to operate at a petabyte scale, OpenObserve simplifies the complex task of data observability, offering a user-friendly alternative to Elasticsearch. However, two recently disclosed critical vulnerabilities (CVE-2024-25106 and CVE-2024-24830) expose users to a dangerous combination of unauthorized access and privilege escalation risks.

CVE-2024-25106 (CVSS 9.1): OpenObserve Unauthorized Access Vulnerability in Users API

At the heart of this vulnerability lies a critical oversight in the user management system of OpenObserve. The “/api/{org_id}/users/{email_id}” endpoint, intended for user management, fails to validate the administrative privileges of the user initiating the request. Consequently, any authenticated user within an organization gains the capability to remove any other user, irrespective of their assigned roles. This includes the alarming ability to remove users with “Admin” and “Root” privileges, thus jeopardizing the sanctity of user management and organizational hierarchy.

The Core Issues:

• Lack of privilege validation: The vulnerability stems from the failure to verify the administrative privileges of the requesting user.
• Unrestricted user removal: Any authenticated user within the organization can remove other users, including those with higher privileges, without proper authorization.

The implications of this vulnerability are severe and far-reaching. By exploiting this flaw, malicious actors can tamper with the user base, leading to unauthorized system access, administrative lockout, or operational disruptions. Furthermore, the indiscriminate nature of user removal poses a critical risk to organizational security and stability.

CVE-2024-24830 (CVSS 9.9): OpenObserve Privilege Escalation Vulnerability in Users API

In a similar vein, this vulnerability underscores a fundamental flaw in the role-based access control system of OpenObserve. The “/api/{org_id}/users” endpoint fails to validate user roles during the user creation process, allowing regular users to assign elevated privileges, including the coveted ‘root’ role, to new users. This unauthorized privilege escalation circumvents established security controls and poses a significant threat to data security and system integrity.

The ramifications of this vulnerability are profound, particularly for users in administrative roles. The unauthorized assignment of elevated privileges grants unbridled control over application resources, undermining the integrity of role-based access control and exposing sensitive data to potential exploitation.

Mitigation and Remediation:

Fortunately, both vulnerabilities have been addressed in version >= 0.8.0 of OpenObserve. Users are strongly advised to promptly update their systems to the latest version to mitigate the risks posed by these vulnerabilities.