A critical vulnerability has been discovered in the widely used open-source Time Series Database (TSDB), OpenTSDB version 2.4.1. OpenTSDB is developed by Benoit Sigoure and is designed to gather, store, and present metrics from various computer systems in the form of easily interpretable data graphs. The vulnerability, which has been categorized as CWE-74 by the Common Weakness Enumeration (CWE), is related to the Gnuplot Configuration File Handler component and allows for injection attacks.
According to a recent advisory by Vulmon, the vulnerability is caused by an unknown function of the component Gnuplot Configuration File Handler. This function can be manipulated with an unknown input, leading to an injection vulnerability. If exploited, this vulnerability can result in remote code execution, which could have severe consequences for affected systems.
The vulnerability in OpenTSDB was publicly disclosed on July 1, 2023, and has been assigned the identifier GHSA-76f7-9v52-v2fw. It has also been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-36812 on June 27, 2023. However, the technical details of the vulnerability remain undisclosed, and no public exploit has been detected so far.
To address the vulnerability, the OpenTSDB development team promptly released patches in commit 07c4641471c and further refined them in commit fa88d3e4b. These patches have been included in the latest release, version 2.4.2, which is highly recommended for all users. By upgrading to version 2.4.2, users can effectively eliminate the vulnerability and ensure the secure operation of OpenTSDB.
For users who are unable to upgrade immediately, there are two workarounds available. They can disable the vulnerable Gnuplot functionality by setting the configuration option tsd.core.enable_ui to “true.” Additionally, they should remove the shell files mygnuplot.bat and mygnuplot.sh from their OpenTSDB installations, as suggested by the Vulmon advisory.
It is worth noting that patch management remains an ongoing issue in several organizations, as previously reported by The Cyber Express. It is crucial for organizations to prioritize patching and keep their software up to date to mitigate the risks associated with vulnerabilities like the one found in OpenTSDB.
This particular vulnerability in OpenTSDB 2.4.1 differs from a previously reported vulnerability, CVE-2020-35476, which pertains to version 2.4.0. The exploit discussed here can bypass the previously reported vulnerability, allowing remote code execution to occur successfully in OpenTSDB version 2.4.1. Furthermore, insufficient patching of CVE-2020-35476 resulted in another vulnerability, CVE-2023-25826, according to Synopsys researchers. This vulnerability allows attackers to execute arbitrary commands on the host system.
The discovery of the critical vulnerability in OpenTSDB is credited to researchers Gal Goldstein and Daniel Abeles from Oxeye, who promptly reported the issue to the OpenTSDB development team. Users of OpenTSDB 2.4.1 are strongly advised to upgrade to version 2.4.2 or implement the provided workarounds as soon as possible to mitigate the risks associated with this critical vulnerability.
More details and the patched version can be found on the OpenTSDB GitHub repository at github.com.