CVE-2023-41041: 
Java vulnerability analysis and mitigation

Graylog, a free and open log management platform, was found to have a session management vulnerability (CVE-2023-41041) affecting versions from 1.0.0 up to versions 5.0.9 and 5.1.3. The vulnerability was discovered and disclosed in July 2023, where in a multi-node Graylog cluster setup, user sessions remained active and usable for API requests even after explicit user logout, until reaching their original expiry time (GitHub Advisory).

The vulnerability stems from the session management implementation in multi-node clusters. Each node maintains an in-memory cache of user sessions, loading sessions from the database upon cache-miss. When a user logs out, the session is removed from the node-local cache and deleted from the database, but other nodes continue using their cached version. The vulnerability can be exploited by preventing session updates through the 'X-Graylog-No-Session-Extension:true' header in requests, allowing the node to consider the cached session valid until timeout. The issue has been assigned a CVSS v3.1 score of 3.1 (LOW) (NVD).

While no session identifiers are leaked, the vulnerability allows previously valid sessions to remain usable for API requests against the Graylog cluster even after user logout. The impact is limited to the configured session lifetime from the time of logout. Although the UI shows the login screen after logout, giving users the impression of session termination, compromised session credentials could still be used to make API requests (GitHub Advisory).

The vulnerability has been addressed in Graylog versions 5.0.9 and 5.1.3. Users are advised to upgrade to these patched versions. The fix includes improvements to session management across cluster nodes and proper session invalidation upon logout (GitHub Advisory, GitHub Patch).