Recently, a security vulnerability was identified in JBoss Enterprise Application Platform (EAP). The flaw lies in JwtValidator.resolvePublicKey, where the validation doesn't properly check the destination URL when using the jku attribute. This could lead to a Server-Side Request Forgery (SSRF) vulnerability, giving attackers the ability to bypass access controls and make requests to internal or external resources. This post will provide an in-depth analysis of the issue, including information about the affected version, exploitation details, and potential mitigation strategies.

Affected Version

The vulnerability is found in JBoss EAP version 7.x.

Vulnerability Details

The flaw occurs in JwtValidator.resolvePublicKey. When validating a JSON Web Token (JWT), the validator checks for a jku (JSON Web Key URL) attribute, and sends an HTTP GET request to the provided URL to obtain the JSON Web Key Set (JWKS). The server then uses this to validate the JWT signature.

However, during this process, no whitelist or other URL filtering behavior is applied, allowing an attacker to provide an arbitrary URL. This can result in the server making a request to an unintended destination, potentially disclosing sensitive information or interacting with internal services that should not be exposed to external users.

Here's a snippet of the problematic code

public PublicKey resolvePublicKey(JWT jwt) throws ParseException {
    // ...
    if (jku != null) {
        try {
            URL jkuUrl = new URL(jku);
            HttpURLConnection connection = (HttpURLConnection) jkuUrl.openConnection();
            connection.setRequestMethod("GET");
            connection.connect();
            // ... Process the obtained JWKS to extract the public key
        } catch (IOException e) {
            throw new ParseException("Error during JKU resolution", e);
        }
    }
    // ...
}

As you can see, there are no checks to ensure that the jkuUrl is a valid, trusted URL.

Exploit Details

To exploit the vulnerability, an attacker would craft a JWT that includes a malicious destination within the jku attribute:

// Example of a malicious JWT payload
{
    // ... other typical JWT payload attributes...
    "jku": "https://attacker-controlled.example/malicious.jwks";
}

When the server processes this JWT, it will make an HTTP request to the attacker-controlled URL, potentially allowing the attacker to access sensitive information or perform actions using the server's privileges.

To mitigate this vulnerability, developers should implement one or more of the following measures

1. Implement a whitelist of allowed domains for the jku attribute, only allowing URLs from trusted sources to be accessed.
2. Configure a network-level firewall or proxy to restrict outgoing connections from the server to only trusted endpoints.
3. Update the JBoss EAP software to a patched version that addresses this vulnerability, once it becomes available.

Conclusion and References

CVE-2024-1233 highlights the importance of proper URL validation to prevent Server-Side Request Forgery attacks. Developers should ensure that they apply the necessary checks when processing external URLs to prevent attackers from exploiting such vulnerabilities. For further information on this issue, consult the original advisory:

- Original Advisory on the JBoss EAP Vulnerability

Stay vigilant, and ensure that your applications follow best practices for secure web development!

Timeline

Published on: 04/09/2024 07:15:08 UTC
Last modified on: 05/14/2024 16:15:55 UTC