Quarkus security releases for CVE-2023-4853

We have just released updates to Quarkus 2.16.11.Final, 3.2.6.Final, and 3.3.3 and Red Hat build of Quarkus 2.13.18.SP2 that fix the issue reported in CVE-2023-4853.

This issue affects anyone using HTTP security path-based rules to protect HTTP endpoints.

Recommendations

If you are using any older versions of Quarkus (ranging from 0.1 to 3.3.2) and employ path-based security, we highly recommend you upgrade to the most recent releases of 2.16, 3.2, 3.3, or Red Hat build of Quarkus 2.13 as soon as possible.

For 3.4, which release is still in progress, a 3.4.1 release containing the fix will be available together with the full Platform release next Wednesday.

If the upgrade is impossible, please see this Red Hat Security Bulletin for possible mitigations.

What is affected

If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, as outlined in the following example, you will need to take immediate action.

application.properties:

quarkus.http.auth.permission.authenticated.paths=/a/secret/*
quarkus.http.auth.permission.authenticated.policy=authenticated

or:

quarkus.keycloak.policy-enforcer.paths.1.name=Permission Resource
quarkus.keycloak.policy-enforcer.paths.1.path=/api/permission
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING

or:

quarkus.csrf-reactive.create-token-path=/service/csrfTokenForm

web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>test</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
            <url-pattern>/openapi/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>managers</role-name>
        </auth-constraint>
    </security-constraint>

Vulnerable artifacts:

  • io.quarkus:quarkus-vertx-http

  • io.quarkus:quarkus-undertow

  • io.quarkus:quarkus-csrf-reactive

  • io.quarkus:quarkus-keycloak-authorization

About CVE-2023-4853

CVE-2023-4853 is a security bug that allows unauthorized access to secured paths—such as /a/protected/path simply by adding an extra slash, like so: /a/protected//path.

Although not all Quarkus applications are affected, we consider this issue to be extremely serious due to the triviality of the attack vector.

Quarkus Security Policy

The root cause of this CVE was initially opened as a bug in the Quarkus issue tracker and was unfortunately not recognized as a security bug promptly.

As soon as the severity was understood, we initiated corrective measures, developed patches and backports, and collaborated with Red Hat Product Security to provide updates.

If you suspect a security issue or vulnerability in Quarkus, please report it directly to security (at) quarkus.io - see details about Quarkus Security Policy at https://quarkus.io/security/.