CVE-2024-24824: 
Java vulnerability analysis and mitigation

Graylog, a free and open log management platform, disclosed a critical vulnerability (CVE-2024-24824) affecting versions from 2.0.0 up to versions 5.1.11 and 5.2.4. The vulnerability allows arbitrary classes to be loaded and instantiated using a HTTP PUT request to the /api/system/cluster_config/ endpoint. This vulnerability was discovered and reported by Fabian Yamaguchi from Whirly Labs (Pty) Ltd (GitHub Advisory).

The vulnerability stems from Graylog's cluster config system using fully qualified class names as config keys. When validating the existence of requested classes, Graylog loads the class using the class loader without proper restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

If exploited, this vulnerability allows attackers with appropriate permissions to instantiate arbitrary classes with 1-arg String constructors, potentially executing arbitrary code during class instantiation. In the specific case of java.io.File, the vulnerability can lead to information disclosure by exposing entire file contents in the response to REST requests (GitHub Advisory).

The vulnerability has been patched in versions 5.1.11 and 5.2.4. The fix includes implementing a new safe_classes configuration option to restrict the classes allowed to be used as cluster config and event types. The default configuration allows only classes within the org.graylog. and org.graylog2. namespaces (GitHub Commit).