1. Summary
| Vulnerability Name |
Openfire Authentication Bypass Vulnerability (CVE-2023-32315) |
|---|---|
| Release Date |
July 19, 2023 |
| Component Name |
Spring Security |
| Affected Versions |
5.8.0 ≤ Spring Security ≤ 5.8.4 |
| Vulnerability Type |
Authentication Bypass Vulnerability |
| Severity |
CVSS v3 Base Score: 5.3 (Medium) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: None Integrity Impact: Low Availability Impact: None |
2. About the Vulnerability (CVE-2023-34035)
2.1 About the Component
Spring Security is a security framework that provides authentication, authorization, and other security features to protect web applications from attacks. Its main goal is to ensure that only authenticated and authorized users can access certain parts of the application or perform specific actions.
2.2 About the Vulnerability
On July 19, 2023, Sangfor FarSight Labs received notification about an authentication bypass vulnerability in Spring Security, identified as CVE-2023-34035, with a severity rating of Medium (CVSS Score 5.3).
Affected versions of Spring Security are susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet.
(DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)
Specifically, an application is vulnerable when all of the following are true:
- Spring MVC is on the classpath
- Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
- The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints
An application is not vulnerable if any of the following is true:
- The application does not have Spring MVC on the classpath
- The application secures no servlets other than Spring MVC’s DispatcherServlet
- The application uses requestMatchers(String) only for Spring MVC endpoints
3. Affected Versions
5.8.0 ≤ Spring Security ≤ 5.8.4
6.0.0 ≤ Spring Security ≤ 6.0.4
6.1.0 ≤ Spring Security ≤ 6.1.1
4. Solutions
4.1 Spring Solution
4.1.1 Version Upgrade
Spring recommends the following 2-step mitigation process:
Step 1: Update to the latest version of Spring Security (6.1.2 / 6.0.5 / 5.8.5). Link: https://spring.io/projects/spring-security
Step 2: If you are using multiple servlets and one of them is Spring MVC’s DispatcherServlet, you may see the following error message at startup time:
This method cannot decide whether these patterns are Spring MVC patterns or not. If this endpoint is a Spring MVC endpoint, please use `requestMatchers(MvcRequestMatcher)`; otherwise, please use `requestMatchers(AntPathRequestMatcher)`.
Please follow this error message.
For example, if you were using requestMatchers(String) to point to a non-Spring MVC endpoint, /endpoint, then change it to requestMatchers(new AntPathRequestMatcher("/endpoint")).
If you were using requestMatchers(String) to point to a Spring MVC endpoint, /mvc-endpoint, then change it to requestMatchers(new MvcRequestMatcher(introspector, "/mvc-endpoint")) where introspector is an @Autowired HandlerMappingIntrospector.
5. Timeline
On July 19, 2023, Sangfor FarSight Labs received notification about the Spring Security Authentication Bypass Vulnerability (CVE-2023-34035).
On July 19, 2023, Sangfor FarSight Labs released a vulnerability alert.
6. Reference
https://spring.io/security/cve-2023-34035
https://nvd.nist.gov/vuln/detail/CVE-2023-34035
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
