CVE-2020-15813: Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a Graylog server and an LDAP server is able to redirect traffic to a different LDAP server (unnoticed by the Graylog server due to the lack of certificate validation), effectively bypassing Graylog's authentication mechanism. Upstream issue has a fix in the 3.3.3 milestone (URL). PR (appears potentially unfinished): https://github.com/Graylog2/graylog2-server/pull/8569
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f22752d5c89481ddb1eda81cef7632ab4bcb217d commit f22752d5c89481ddb1eda81cef7632ab4bcb217d Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-08-05 09:02:55 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-06 16:09:13 +0000 app-admin/graylog: drop vulnerable Bug: https://bugs.gentoo.org/733114 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/17010 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-admin/graylog/Manifest | 2 - app-admin/graylog/graylog-3.3.1.ebuild | 83 ---------------------------------- app-admin/graylog/graylog-3.3.2.ebuild | 83 ---------------------------------- 3 files changed, 168 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ba778ceecf5cd87d8f90c931e891cdff644564a commit 6ba778ceecf5cd87d8f90c931e891cdff644564a Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2020-08-05 09:02:12 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-06 16:09:12 +0000 app-admin/graylog: bump to 3.3.3 Bug: https://bugs.gentoo.org/733114 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-admin/graylog/Manifest | 1 + app-admin/graylog/graylog-3.3.3.ebuild | 83 ++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+)
Thanks!