As one of the most sought-after frameworks in Java, Spring Boot’s objective is simple yet vital – to make it easier for developers to create Spring-powered, production-grade applications with minimal fuss. It offers an opinionated view of the Spring platform, creating an environment where new and existing users can quickly focus on the tasks that matter.
Despite the conveniences that Spring Boot offers, the framework recently found itself in the hot seat with two high-severity security vulnerabilities: the Spring Boot Welcome Page Denial-of-Service (DoS) vulnerability (CVE-2023-20883) and a security bypass vulnerability due to wildcard pattern matching on Cloud Foundry (CVE-2023-20873).
CVE-2023-20883: Spring Boot Welcome Page DoS Vulnerability
This vulnerability could trigger a DoS attack when Spring MVC is used along with a reverse proxy cache. But not every application is vulnerable. Applications that have Spring MVC auto-configuration enabled, make use of Spring Boot’s welcome page support, and are deployed behind a proxy caching 404 responses are at risk. In contrast, applications are safe if the Spring MVC auto-configuration is disabled, they do not use the welcome page support, or if there’s no proxy caching 404 responses.
CVE-2023-20873: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
The second vulnerability could lead to a security bypass when an application deployed to Cloud Foundry can handle requests that match /cloudfoundryapplication/**. This is typically the case when there is a catch-all request mapping matching /**. The vulnerability is eliminated if the application is not deployed to Cloud Foundry if Cloud Foundry actuator endpoints are disabled, or if there are no handler mappings for /cloudfoundryapplication/** requests.
What’s at Risk and the Mitigation Path?
Spring Boot versions ranging from 2.5.0 to 3.0.6 for the DoS vulnerability, and from 2.5.0 to 3.0.5 for the security bypass vulnerability, were exposed to these threats. Older, unsupported versions are also affected.
To patch these threats, users of these versions should upgrade to at least 3.0.7+ or 2.7.12+ depending on the version they are currently using. Configuring the reverse proxy not to cache 404 responses or disabling Cloud Foundry actuator endpoints by setting management.cloudfoundry.enabled to false could serve as potential workarounds.
The detection of these high-severity vulnerabilities in Spring Boot offers a sobering reminder to the developer community. No matter how sophisticated or popular a framework or tool is, it is not immune to potential threats and vulnerabilities. Ensuring your applications are always up-to-date and well-guarded against potential threats should be your top priority.
