CVE-2023-5675: Quarkus Authorization Bypass Vulnerability in JAX-RS Endpoints

Summary: Security researchers have discovered a critical authorization bypass vulnerability in Quarkus, a popular Java-based Kubernetes-native framework. The vulnerability impacts both RestEasy Classic and Reactive JAX-RS endpoints in Quarkus applications, potentially allowing unauthorized access to sensitive information.

Introduction

In recent times, a critical flaw, CVE-2023-5675, has been discovered in Quarkus, a popular Java-based framework for building Kubernetes-native applications. This vulnerability allows unauthorized access to methods in abstract Java classes in RestEasy Classic or Reactive JAX-RS endpoints if these methods are either declared in the abstract class and customized in Quarkus extensions using the annotation processor. Moreover, the authorization of these methods is not enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties. Consequently, an attacker may access sensitive information or perform unauthorized actions in the impacted applications.

Detailed Exploit

The vulnerability arises from a misconfiguration of the security of JAX-RS endpoints within Quarkus applications. In affected setups, the authorization of the Java class methods declared in the abstract class or customized by Quarkus extensions is not enforced if either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties are enabled.

Here is an example of a vulnerable code snippet

@Path("/example")
@ApplicationScoped
public abstract class AbstractBaseResource {

    @GET
    @RolesAllowed("admin")
    public String get() {
        return "Hello, admin!";
    }
}

@ApplicationPath("/")
public class ExampleApplication extends Application {
}

In this instance, the "Hello, admin!" method allows unauthorized access since the authorization requirement is not enforced for methods declared in the abstract Java class.

The disclosure of this vulnerability can be traced to the official Quarkus GitHub page

- Quarkus Security Advisory: GHSA-j9gc-788p-6f76

The Common Vulnerabilities and Exposures (CVE) database entry can be found here

- CVE: CVE-2023-5675

Mitigation Steps

To resolve this vulnerability, it is crucial to upgrade your Quarkus application to version 2.7.3 or a version higher than 2.7.3. This will ensure that the authorization enforcement takes place in both RESTEasy Classic and Reactive JAX-RS endpoints.

It is also advisable to review your applications carefully, especially if you have RestEasy Classic and Reactive JAX-RS endpoints in your application since this vulnerability may allow unauthorized access to sensitive information.

Conclusion

The CVE-2023-5675 vulnerability in Quarkus underlines the importance of regular updates and proper configuration of the security properties in your application. It's crucial to ensure that authorization checks are enforced in the right manner, whether the methods are part of abstract Java classes or customized by Quarkus extensions. Keep an eye on updates from official Quarkus sources and the CVE database to stay ahead of evolving security threats.

Timeline

Published on: 04/25/2024 16:15:08 UTC
Last modified on: 04/25/2024 17:25:05 UTC