Response to CVE-2023-22949
Type: Security
Original Date: January 2024
Summary
In April 2023, NVD - CVE-2023-22949 was filed as a vulnerability with a medium base score of 4.9, pertaining to TigerGraph version 3.7.0 and TigerGraph Cloud. The CVE notes that authenticated GSQL access requests were logged by TigerGraph, including both the username and password of the user in an easily decodable base64 form. That could allow a TigerGraph administrator to effectively harvest usernames/passwords.
TigerGraph addressed this vulnerability in February 2023, prior to the filing of the CVE, in the following ways:
-
A patch was applied in all production (LTS) branches (3.6 and 3.9).
-
The 3.7.0 Feature Preview branch has now reached end of life and is no longer available.
-
TigerGraph Cloud tracks with the most recent database updates, ensuring the most secure and stable versions of TigerGraph on the platform.
Remediation Details
TigerGraph detected this vulnerability prior to the filing of the CVE. The vulnerability was fully patched by always masking user credentials in log files, as highlighted in the example below:
-
Before the patch, the log was:
"auth":"Basic dGlnZXJncmFwaDp0aWdlcmdyYXBo"
. -
After the patch, the log is:
"auth":<masked>
.
Notably, TigerGraph’s two LTS (Long Term Support) branches, 3.6 and 3.9, were patched in February 2023 (GLE-4774 and GLE-4718), two months before this CVE. The CVE detected the vulnerability in 3.7.0, a Feature Preview branch released in September 2022. The 3.7.0 Feature Preview branch has now reached end of life and is no longer available. Additionally, the CVE detected the vulnerability in TigerGraph Cloud, but TigerGraph Cloud tracks with the most recent database updates, fixing the vulnerability by ensuring the most secure and stable versions are utilized on the platform.
The patch not only fortified the platform, but also strengthened TigerGraph’s security posture further against other exploits, such as CVE-2022-30331 (which was also disputed in TigerGraph’s documentation in a previous alert), by removing this attack vector for obtaining administrative user login credentials.
TigerGraph versions 3.6.3, 3.9.0 and later and TigerGraph Cloud already underwent updates effectively eliminating the vulnerability in distributed versions of TigerGraph.