-
Notifications
You must be signed in to change notification settings - Fork 382
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
87 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
--- | ||
layout: post | ||
title: 'Quarkus security releases for CVE-2023-4853' | ||
date: 2023-09-14 | ||
tags: release | ||
synopsis: 'We released Quarkus 3.3.3, 3.2.6.Final and 2.6.11.Final to fix CVE-2023-4853.' | ||
author: gsmet | ||
--- | ||
|
||
We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853. | ||
|
||
This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints. | ||
|
||
== Recommendations | ||
|
||
If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible. | ||
|
||
If the upgrade is impossible, please see this https://access.redhat.com/security/vulnerabilities/RHSB-2023-002[Red Hat Security Bulletin] for possible mitigations. | ||
|
||
== What is affected | ||
|
||
If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action. | ||
|
||
**application.properties:** | ||
|
||
[source,properties] | ||
---- | ||
quarkus.http.auth.permission.authenticated.paths=/a/secret/* | ||
quarkus.http.auth.permission.authenticated.policy=authenticated | ||
---- | ||
|
||
or: | ||
|
||
[source,properties] | ||
---- | ||
quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource | ||
quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission | ||
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING | ||
---- | ||
|
||
or: | ||
|
||
[source,properties] | ||
---- | ||
quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm | ||
---- | ||
|
||
**web.xml:** | ||
|
||
[source,xml] | ||
---- | ||
<security-constraint> | ||
<web-resource-collection> | ||
<web-resource-name>test</web-resource-name> | ||
<url-pattern>/secure/*</url-pattern> | ||
<url-pattern>/openapi/*</url-pattern> | ||
<http-method>GET</http-method> | ||
<http-method>POST</http-method> | ||
</web-resource-collection> | ||
<auth-constraint> | ||
<role-name>managers</role-name> | ||
</auth-constraint> | ||
</security-constraint> | ||
---- | ||
|
||
**Vulnerable artifacts:** | ||
|
||
- `io.quarkus:quarkus-vertx-http` | ||
- `io.quarkus:quarkus-undertow` | ||
- `io.quarkus:quarkus-csrf-reactive` | ||
- `io.quarkus:quarkus-keycloak-authorization` | ||
|
||
== About CVE-2023-4853 | ||
|
||
CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as `/a/protected/path` simply by adding an extra slash, like so: `/a/protected//path`. | ||
|
||
Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector. | ||
|
||
== Quarkus Security Policy | ||
|
||
The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly. | ||
|
||
As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates. | ||
|
||
**If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.** |