Known Vulnerabilities for Red Hat #1

Our ongoing commitment to cybersecurity brings you this critical update on a vulnerability within the Quarkus endpoints, particularly ones utilizing the HTTP Security Policy.

Snapshot of the Issue (CVE-2023-4853):

• Severity: Assessed as "Important".
• Affected Component: Primarily targets the quarkus-vertx-http component.
• Risk: Unauthenticated remote bypass of access control restrictions. The issue is rampant across all Quarkus versions and similar products employing this component.
• Current Status: Mitigations are available for those unable to transition immediately to the secure version.

Understanding the Vulnerability: Quarkus, known for its varied security methods, is currently grappling with a flaw in its HTTP security policy. The root of the problem is the policy's inability to handle request paths with multiple adjacent forward-slash characters. This results in a potential breach of security policy.

Example: Policies named ‘role-admin’ and ‘authenticated’ that secure paths like /service/* and /internal/* are being bypassed when accessed via paths such as https://<url>///service/ and https://<url>///internal/.

The implications of this flaw are substantial, from information leaks and unauthorized access to potential denial of service.

Recommendations & Mitigations:

Note: Adopting these solutions will necessitate rebuilding and redeploying the affected applications, unless specifically mentioned.

1. ‘Deny’ Security Policy: Restrict your application's URL space using the 'deny' security policy. This approach blocks all requests not secured by existing policies.
2. Normalize Paths: Implement a Vert.x route that reroutes requests to a normalized path when the current one isn't normalized.
3. Custom HttpSecurityPolicy: Employ a custom policy that blocks requests with mismatched path and normalized path values.
4. JAX-RS Security Annotations: Secure JAX-RS endpoints using security annotations like ‘@Authenticated’ and ‘@RolesAllowed’.
5. Duplicate Paths: To support requests with double slashes, consider mirroring configured paths.
6. Proxy Protection: If you're using a proxy or load balancer before your Quarkus application, this can be utilized as a protective measure against the vulnerability without needing a rebuild.

Affected Products: Quarkus 2.13, and various Red Hat products including Red Hat Decision Manager, OpenShift Serverless, and more are susceptible. Red Hat is urging all users to implement the provided updates promptly and adopt appropriate mitigations.

Upcoming Updates: Certain Red Hat products, such as Red Hat Integration Camel Quarkus and others, will have advisory and update links incorporated once they are available.

Diagnosis: Check your security configurations and environment files to spot possible uses of path-based authentication. If discovered, it's crucial to swiftly employ one of the suggested mitigation strategies.