add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447

k4n5ha0 · 2022-03-22T14:46:29Z

Motivation

like CVE-2022-22947 SpEL injection, java Actuator usually comes out vul
so i think APPLICATION-ATTACK-JAVA.conf need block Actuator url as these:

/actuator
gateway/
/autoconfig
/beans
/env
/dump
/health
/info
/metrics
/shutdown
/trace
/heapdump

these urls gives many dangerous infomations aslo some of them have vul

Proposed solution

block them with level=2

reference linking：
https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt
https://github.com/mpgn/Spring-Boot-Actuator-Exploit
https://github.com/Greetdawn/CVE-2022-22947
https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html

thx

franbuehler · 2022-03-23T11:57:53Z

Thank you for your very welcome report.
We'll check it soon!!

franbuehler · 2022-03-25T21:23:36Z

8000

As this vulnerability is scored with a CVSS Score of 10 (CRITICAL) and we already have java rules against specific vulnerabilities, I think it could be worth writing a new rule for this vulnerability.

I find it super difficult to find the affected URLs and I am thankful for @k4n5ha0's choice. I found the following descriptions of most of the URLs here:

/actuator - CVE PoC
gateway/ - CVE PoC
/autoconfig - I don't find any info.
/beans - Displays a complete list of all the Spring beans in your application.
/env - Exposes properties from Spring’s ConfigurableEnvironment.
/dump - I don't find any info.
/health - Shows application health information.
/info - Displays arbitrary application info.
/metrics - Shows “metrics” information for the current application.
/shutdown - Lets the application be gracefully shutdown. Disabled by default.
/trace - I don't find any info.
/heapdump - Returns a heap dump file. On a HotSpot JVM, an HPROF-format file is returned. On an OpenJ9 JVM, a PHD-format file is returned.

However when I look through the PoCs of this CVE (1, 2, 3, 4) I only find the following 2 endpoints:

/actuator/gateway/routes
/actuator/gateway/refresh

I still have some questions:

Would the two URLs above be enough to cover the vulnerability?
Do we also block legitimate requests with a potential new rule?
Do you have more information about the additional URLs you're reporting and why we should block them as well?

k4n5ha0 · 2022-03-26T12:57:51Z

As this vulnerability is scored with a CVSS Score of 10 (CRITICAL) and we already have java rules against specific vulnerabilities, I think it could be worth writing a new rule for this vulnerability.

I find it super difficult to find the affected URLs and I am thankful for @k4n5ha0's choice. I found the following descriptions of most of the URLs here:

/actuator - CVE PoC gateway/ - CVE PoC /autoconfig - I don't find any info. /beans - Displays a complete list of all the Spring beans in your application. /env - Exposes properties from Spring’s ConfigurableEnvironment. /dump - I don't find any info. /health - Shows application health information. /info - Displays arbitrary application info. /metrics - Shows “metrics” information for the current application. /shutdown - Lets the application be gracefully shutdown. Disabled by default. /trace - I don't find any info. /heapdump - Returns a heap dump file. On a HotSpot JVM, an HPROF-format file is returned. On an OpenJ9 JVM, a PHD-format file is returned.

However when I look through the PoCs of this CVE (1, 2, 3, 4) I only find the following 2 endpoints:

/actuator/gateway/routes /actuator/gateway/refresh

I still have some questions:

Would the two URLs above be enough to cover the vulnerability?

Do we also block legitimate requests with a potential new rule?

Do you have more information about the additional URLs you're reporting and why we should block them as well?

frome this link:
https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

we can find many urls is vul. and some urls leak infos i think itis dangerous too.
my english is poor , sorry about that :-)
thx

franbuehler · 2022-03-28T13:32:37Z

What I don't quite understand is that if we block these paths, are we also blocking legitimate requests? So we limit the functionality of the feature actuator?
Or are these paths always evil?

k4n5ha0 · 2022-03-28T15:14:20Z

What I don't quite understand is that if we block these paths, are we also blocking legitimate requests? So we limit the functionality of the feature actuator? Or are these paths always evil?

like this pic

java coder use client to connect java's Actuator.
Actuator should't show any infomations to any brower, if Actuator show infos out of firewall ,that is dangerous.
so Actuator's manager port should not equal server port for safetey.

ps: management.server.port is Actuator's port

github-actions · 2022-07-27T02:23:36Z

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

k4n5ha0 added the 👍 Feature Request label Mar 22, 2022

franbuehler mentioned this issue Mar 28, 2022

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Closed

franbuehler mentioned this issue Apr 25, 2022

Monthly Chat Agenda May 2022 (2022-05-02 and 2022-05-16) #2503

Closed

github-actions bot added the ⌛ Stale issue This issue has been open 120 days with no activity. label Jul 27, 2022

github-actions bot closed this as completed Aug 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447

add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447

add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447

Comments

Motivation

Proposed solution

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!