Spring framework WebFlux High-Severity Access Control Vulnerability
Take action: In most code environments upgrading the Spring library is a fairly complicated activity, with a bunch of testing. If you have the resources and time, definitely update it. Otherwise, the workaround is great, albeit requiring discipline: add a leading forward slash ("/") to any URL filter employed in Spring Security. You can even make a linter rule to catch all offending configurations.
Learn More
Spring Security has taken steps to address a critical access control vulnerability within its latest releases.
The vulnerability is tracked as CVE-2023-34034, (CVSS Score 9.8) - Filter bypass vulnerability in Spring Security
Spring WebFlux applications mostly rely on Spring Security for managing authentication and access control. Given the extensive prevalence of Spring WebFlux within the industry this vulnerability can expose a lot of applications to exploits.
Overview of Spring WebFlux
The Spring Framework, a widely adopted Java-based application framework, forms the foundation for building enterprise-level Java applications. Within this framework, Spring Security plays a pivotal role in ensuring robust authentication and stringent access control, establishing itself as the industry standard for securing Spring-based applications. Its capabilities extend to both authentication and authorization and can be readily customized to meet specific requirements.
Spring WebFlux, introduced in Spring 5, introduces a reactive programming alternative to the conventional Spring Web MVC framework. This technology is tailored to handle asynchronous, non-blocking, and reactive programming paradigms. By embracing a reactive programming model, developers can create applications that exhibit scalability and responsiveness. In contrast to the traditional thread-per-request approach, WebFlux leverages the reactive streams API, enabling the concurrent handling of multiple requests using a limited number of threads.
Deconstructing the Vulnerability
On July 18, 2023, Spring Security rolled out new versions along with a security advisory that piqued the interest of the security community due to its classification as a filter bypass vulnerability.
The vulnerability is best described with an example:
Let’s say you wanted to make all the pages on your site accessible except the admin pages, you may have set the following rule:
.authorizeExchange()
.pathMatchers("admin/**")
.hasRole(Roles.ADMIN)
.and()
.authorizeExchange()
.anyExchange()
.permitAll();
Thinking (sensibly) that now every page under admin/ could be accessed only by admins.
Before the fix, this rule wouldn’t match any admin/ URL, as it’s missing a preceding / and all of the web pages under admin/ will be accessible by anyone.
A key addition was the introduction of the "initFullPathPattern()" function within the "PathPatternParserServerWebExchangeMatcher" class. This function serves to modify an input pattern by appending a forward slash at the start, if absent, effectivelly blocking the vulnerability
Affected Scenarios and Remedial Measures
The vulnerability specifically impacts web applications meeting the following criteria:
- Utilization of the Spring WebFlux framework (older "Spring MVC" applications remain unaffected).
- Dependence on a susceptible Spring Security version (e.g., 5.6.0).
- Use of URL path filtering to establish Spring Security access rules, where the URL path pattern lacks an initial forward slash.
- Incorporation of multiple-segment wildcard characters (**) within the URL path pattern, intensifying the vulnerability's severity.
To mitigate the vulnerability's risks, upgrading to secure Spring Security versions such as 6.1.2+, 6.0.5+, 5.8.5+, 5.7.10+, or 5.6.12+ is strongly recommended. Alternatively, developers can address the issue by merely adding a leading forward slash ("/") to any URL filter employed in Spring Security.
