openITCOCKPIT Community Edition Unsafe PHP Deserialization Vulnerability in Changelog Handling

A vulnerability exists in openITCOCKPIT Community Edition versions through 5.3.1, where an unsafe PHP deserialization pattern in changelog processing can lead to a latent PHP object injection vulnerability. The issue arises because serialized changelog data, influenced by attacker-controlled application state, is unserialized without restrictions on allowed classes. While no current application endpoint introduces PHP objects into this data path, the unrestricted unserialize() call creates a potential vulnerability. Future code changes, plugins, or refactors could exploit this issue, with severe consequences including remote code execution.

Impact

Exploitation of this vulnerability could result in unauthorized PHP object injection, allowing for remote code execution, arbitrary file modification, and a complete compromise of the application.

Reproduction

The vulnerability can be reproduced by manually injecting a serialized PHP object payload into the changelog data column of the database. This can be done by using a database management tool to update a changelog entry with a payload that includes a serialized object, such as a Guzzle HTTP cookie jar object configured to execute a system command. Once the payload is injected, accessing the changelog through the application interface will trigger the deserialization, executing the injected command.

Remediation

Users are advised to update to openITCOCKPIT version 5.4.0 or later, where this vulnerability has been addressed. In version 5.4.0, the deserialization has been modified to restrict allowed classes, preventing potential object injection while maintaining functionality.