The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.

Blog Quarkus security releases for CVE-2023-4853

September 14, 2023 #release

Quarkus security releases for CVE-2023-4853

By Guillaume Smet

We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853.

This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints.

Recommendations

If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible.

For 3.4, which release is still in progress, a 3.4.1 release containing the fix will be available together with the full Platform release next Wednesday.

If the upgrade is impossible, please see this Red Hat Security Bulletin for possible mitigations.

What is affected

If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action.

application.properties:

quarkus.http.auth.permission.authenticated.paths=/a/secret/*
quarkus.http.auth.permission.authenticated.policy=authenticated

or:

quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource
quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING

or:

quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm

web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>test</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
            <url-pattern>/openapi/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>managers</role-name>
        </auth-constraint>
    </security-constraint>

Vulnerable artifacts:

  • io.quarkus:quarkus-vertx-http

  • io.quarkus:quarkus-undertow

  • io.quarkus:quarkus-csrf-reactive

  • io.quarkus:quarkus-keycloak-authorization

About CVE-2023-4853

CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as /a/protected/path simply by adding an extra slash, like so: /a/protected//path.

Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector.

Quarkus Security Policy

The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly.

As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates.

If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.

Quarkus is open. All dependencies of this project are available under the Apache Software License 2.0 or compatible license.

This website was built with Jekyll, is hosted on GitHub Pages and is completely open source. If you want to make it better, fork the website and show us what you’ve got.

Navigation
Follow Us
Get Help
Languages
Quarkus is made of community projects
CC by 3.0 | Privacy Policy Sponsored by