Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
gsmet committed Sep 14, 2023
1 parent 0de0f16 commit 190c735
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 2 deletions.
4 changes: 2 additions & 2 deletions _data/versions.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
quarkus:
version: 3.3.2
announce: /blog/quarkus-3-3-2-released/
version: 3.3.3
announce: /blog/cve-2023-4853/
graalvm: '23.0'
jdk: "11+"
maven: 3.8.2+
Expand Down
85 changes: 85 additions & 0 deletions _posts/2023-09-14-cve-2023-4853.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
---
layout: post
title: 'Quarkus security releases for CVE-2023-4853'
date: 2023-09-14
tags: release
synopsis: 'We released Quarkus 3.3.3, 3.2.6.Final and 2.6.11.Final to fix CVE-2023-4853.'
author: gsmet
---

We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853.

This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints.

== Recommendations

If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible.

If the upgrade is impossible, please see this https://access.redhat.com/security/vulnerabilities/RHSB-2023-002[Red Hat Security Bulletin] for possible mitigations.

== What is affected

If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action.

**application.properties:**

[source,properties]
----
quarkus.http.auth.permission.authenticated.paths=/a/secret/*
quarkus.http.auth.permission.authenticated.policy=authenticated
----

or:

[source,properties]
----
quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource
quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING
----

or:

[source,properties]
----
quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm
----

**web.xml:**

[source,xml]
----
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<url-pattern>/openapi/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>managers</role-name>
</auth-constraint>
</security-constraint>
----

**Vulnerable artifacts:**

- `io.quarkus:quarkus-vertx-http`
- `io.quarkus:quarkus-undertow`
- `io.quarkus:quarkus-csrf-reactive`
- `io.quarkus:quarkus-keycloak-authorization`

== About CVE-2023-4853

CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as `/a/protected/path` simply by adding an extra slash, like so: `/a/protected//path`.

Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector.

== Quarkus Security Policy

The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly.

As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates.

**If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.**

0 comments on commit 190c735

Please sign in to comment.