Collate Update on OpenMetadata CVE-2024-XXXX
Sriharsha Chintalapani, CTO
The Collate unified platform for discovery, observability, and governance is built on the open source OpenMetadata project, and is dedicated to the security of our enterprise customers. Our commitment to the open source community leads us to work with independent security researchers who scan our public code for vulnerabilities, improving our software's security.
On Dec 14, the OpenMetadata CVE-2024-XXXX security vulnerability was privately disclosed, and it was patched on Jan 5. All Collate customers, including SaaS, Hybrid, and BYOC deployments, were automatically upgraded in January 2024 to a patched version. No action is required by Collate customers.
Timeline:
December 14, 2023: GitHub Security Lab privately notified the OpenMetadata community of the vulnerability.
December 14 - January 5, 2024: The Collate team investigated the issue and developed a fix.
January 5, 2024: We released a patch in OpenMetadata release 1.2.4 addressing the vulnerability. All Collate customers were upgraded at this time.
April 2024: The vulnerability was publicly disclosed after the standard 90-day period.
Discovery:
- Alvaro Muñoz from GitHub Security Lab privately disclosed a vulnerability (CVE-2024-XXXX) affecting certain versions of OpenMetadata, and we thank him for the responsible manner he shared his findings.
About OpenMetadata CVE-2024-XXXX:
The OpenMetadata vulnerability could allow non-authenticated, non-administrative users to inject malicious payloads and bypass security policies, potentially leading to privilege escalation.
It affected specific API endpoints and required the attacker to have public access to the OpenMetadata instance.
Risk Analysis and Resolution:
Managed OpenMetadata as a service offered by Collate was not impacted by this vulnerability as it is protected by firewalls, malicious activity monitoring, and other security measures, per the Collate Information Security Policy.
Collate automatically upgraded all customers to the security patch in January 2024, including SaaS, Hybrid, and BYOC deployments.
Collate Security Posture:
The security program at Collate leverages industry best practices, which protected Collate customers from being exposed to this vulnerability, including:
Regular SOC2 auditing for security and compliance
Ongoing third-party and first-party pen testing
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
Static and dynamic security testing of all code, including open source libraries
Security design reviews and automated code scans
We are now posting this update, per the Collate Responsible Disclosure Policy. For any questions, please reach out to our security team at security@getcollate.io or me directly at harsha@getcollate.io