CVE-2021-38283 in Holmes Orchestratorinfo

Summary

by MITRE • 11/29/2021

Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote attackers to read application log files containing sensitive information via a predictable /log URI.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/02/2021

The vulnerability identified as CVE-2021-38283 affects Wipro Holmes Orchestrator version 20.4.1, representing a critical information disclosure flaw that enables remote attackers to access sensitive application log files through a predictable URI endpoint. This vulnerability stems from improper access controls within the application's logging infrastructure, where the /log URI path is easily discoverable and accessible without authentication or authorization mechanisms. The predictable nature of this URI makes it susceptible to automated scanning and exploitation by threat actors seeking to gather sensitive information from the system.

The technical flaw resides in the application's handling of log file access permissions, where the system fails to implement proper authentication checks before serving log content. This allows any remote attacker to directly access the /log URI and retrieve potentially sensitive data including user credentials, system information, transaction details, and other confidential operational data that may be logged by the orchestrator application. The vulnerability manifests as a lack of input validation and access control enforcement, creating an information exposure condition that violates fundamental security principles of least privilege and access control.

The operational impact of this vulnerability extends beyond simple information disclosure, as the retrieved log files may contain credentials, session tokens, API keys, system configurations, and detailed operational data that could be leveraged for further attacks. Attackers could potentially use this information to conduct privilege escalation, lateral movement, or identity theft within the targeted environment. The vulnerability creates a persistent threat vector that remains active as long as the application is running without proper patching, allowing attackers to continuously harvest sensitive information from the system's logs. This represents a significant risk to organizations relying on Wipro Holmes Orchestrator for automation and orchestration tasks.

Organizations should immediately implement mitigations including disabling or restricting access to the /log URI endpoint, implementing proper authentication and authorization controls, and conducting comprehensive log analysis to identify any potential exploitation attempts. The vulnerability aligns with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) classifications, and represents a technique that could be categorized under ATT&CK tactic TA0006 (Credential Access) and technique T1565.001 (Data Manipulation). Security teams should also consider implementing network segmentation, monitoring for unusual access patterns to log endpoints, and conducting regular security assessments to identify similar predictable URI vulnerabilities within their application infrastructure. The recommended remediation involves applying the vendor-provided security patch or implementing temporary workarounds such as firewall rules to restrict access to the vulnerable endpoint.

Reservation

08/09/2021

Disclosure

11/29/2021

Moderation

accepted

CPE

ready

EPSS

0.02412

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!