From 190c735abec218928307a8e9a484e146a83bfbac Mon Sep 17 00:00:00 2001 From: Guillaume Smet Date: Thu, 14 Sep 2023 23:20:19 +0200 Subject: [PATCH] CVE-2023-4853 --- _data/versions.yaml | 4 +- _posts/2023-09-14-cve-2023-4853.adoc | 85 ++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 _posts/2023-09-14-cve-2023-4853.adoc diff --git a/_data/versions.yaml b/_data/versions.yaml index 48e5df8af9..3c2853928a 100644 --- a/_data/versions.yaml +++ b/_data/versions.yaml @@ -1,6 +1,6 @@ quarkus: - version: 3.3.2 - announce: /blog/quarkus-3-3-2-released/ + version: 3.3.3 + announce: /blog/cve-2023-4853/ graalvm: '23.0' jdk: "11+" maven: 3.8.2+ diff --git a/_posts/2023-09-14-cve-2023-4853.adoc b/_posts/2023-09-14-cve-2023-4853.adoc new file mode 100644 index 0000000000..78c85ae296 --- /dev/null +++ b/_posts/2023-09-14-cve-2023-4853.adoc @@ -0,0 +1,85 @@ +--- +layout: post +title: 'Quarkus security releases for CVE-2023-4853' +date: 2023-09-14 +tags: release +synopsis: 'We released Quarkus 3.3.3, 3.2.6.Final and 2.6.11.Final to fix CVE-2023-4853.' +author: gsmet +--- + +We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853. + +This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints. + +== Recommendations + +If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible. + +If the upgrade is impossible, please see this https://access.redhat.com/security/vulnerabilities/RHSB-2023-002[Red Hat Security Bulletin] for possible mitigations. + +== What is affected + +If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action. + +**application.properties:** + +[source,properties] +---- +quarkus.http.auth.permission.authenticated.paths=/a/secret/* +quarkus.http.auth.permission.authenticated.policy=authenticated +---- + +or: + +[source,properties] +---- +quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource +quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission +quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING +---- + +or: + +[source,properties] +---- +quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm +---- + +**web.xml:** + +[source,xml] +---- + + + test + /secure/* + /openapi/* + GET + POST + + + managers + + +---- + +**Vulnerable artifacts:** + +- `io.quarkus:quarkus-vertx-http` +- `io.quarkus:quarkus-undertow` +- `io.quarkus:quarkus-csrf-reactive` +- `io.quarkus:quarkus-keycloak-authorization` + +== About CVE-2023-4853 + +CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as `/a/protected/path` simply by adding an extra slash, like so: `/a/protected//path`. + +Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector. + +== Quarkus Security Policy + +The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly. + +As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates. + +**If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.**