Quarkus security releases for CVE-2023-4853
We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853.
This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints.
If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible.
For 3.4, which release is still in progress, a 3.4.1 release containing the fix will be available together with the full Platform release next Wednesday.
If the upgrade is impossible, please see this Red Hat Security Bulletin for possible mitigations.
If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action.
quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING
<security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/secure/*</url-pattern> <url-pattern>/openapi/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>managers</role-name> </auth-constraint> </security-constraint>
CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as
/a/protected/path simply by adding an extra slash, like so:
Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector.
The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly.
As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates.
If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.