Full Report
Wiz Threat Research investigates misconfigurations in Spring Boot Actuator’s endpoints that can leak environment variables, passwords, and API keys, and even lead to remote code execution.
Analysis Summary
The provided article focuses heavily on **misconfigurations** of the Spring Boot Actuator, which are often distinct from traditional, version-specific CVEs. Consequently, specific CVE identifiers and scores are not detailed for the general configuration risks discussed, though past versions are noted to have had insecure defaults.
# Vulnerability: Exposure of Sensitive Data via Misconfigured Spring Boot Actuator Endpoints
## CVE Details
- CVE ID: Not explicitly provided for the misconfiguration risks discussed.
- CVSS Score: Not explicitly provided.
- CWE: (Inferred) CWE-862: Missing Authorization (for exposed endpoints generally).
## Affected Systems
- Products: Spring Boot Actuator (a module within Spring Boot applications).
- Versions: Affects older versions where endpoints like `/heapdump` were exposed by default (e.g., versions prior to 1.5). Current versions can still be vulnerable due to misconfiguration errors by the user.
- Configurations: Any configuration where Spring Boot Actuator endpoints are publicly exposed without proper authentication, especially those exposing `/heapdump`, `/env`, or `/gateway/routes`.
## Vulnerability Description
The Spring Boot Actuator module provides valuable operational insights through various HTTP endpoints. The primary risk stems from misconfiguring these endpoints to be publicly accessible without authentication.
1. **`/heapdump` Exposure:** If exposed, this endpoint dumps the Java heap memory. Any sensitive credentials (passwords, API keys, tokens) loaded into the JVM's memory at runtime can be leaked via this dump. This functionality was exposed by default up to Spring Boot version 1.5.
2. **Other Sensitive Endpoints:** Exposure of endpoints like `/env` (which can show environment variables) or RCE conditions in some versions presents risks up to critical severity, including data exfiltration and potential Remote Code Execution (RCE).
## Exploitation
- Status: Misconfigurations are common (detected by the scanning tool in 24% of public Actuator instances analyzed). Attackers actively scan for these endpoints (approx. 1K malicious IP addresses observed scanning in the last 30 days).
- Complexity: Depends on the endpoint. Accessing readily exposed information might be low complexity; RCE requires specific application circumstances.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Potential leak of credentials, API keys, and sensitive environment data).
- Integrity: Potentially High (If RCE is achieved).
- Availability: Low to Medium (DoS condition not explicitly mentioned, but application instability is possible).
## Remediation
### Patches
- Keep Spring Boot Actuator and associated libraries up to date to benefit from secure default settings in newer versions. (Specific version patch details not provided in the text).
### Workarounds
1. **Enforce Strict Authentication:** Implement strong authentication and authorization for *all* Spring Boot Actuator endpoints, especially sensitive ones like `/heapdump`, `/gateway/routes`, and `/env`.
2. **Reduce Exposure:** If the application must be publicly accessible, use network controls (e.g., firewalls, security groups) to restrict access to Actuator endpoints only to authorized IP addresses.
3. **Adhere to Best Practices:** Ensure no insecure default configurations remain active.
## Detection
- **Indicators of Compromise:** Unauthorized network traffic targeted at known Actuator paths (e.g., `/actuator/`, `/heapdump`, `/env`).
- **Detection Methods and Tools:** Dynamic scanners (like the one mentioned) can detect publicly exposed instances and specific misconfigurations (e.g., exposed `/heapdump`). Monitoring should check application configuration for exposed management interfaces.
## References
- Vendor Advisories: Related to specific Spring Boot security updates (Not detailed here).
- Relevant links:
- Baeldung link on Actuators: `hxxps://www.baeldung.com/spring-boot-actuators`
- Spring Boot Project page: `hxxps://spring.io/projects/spring-boot`
- Shodan for Actuator endpoints: `hxxps://www.shodan.io/search?query=http.favicon.hash%3A116323821`
- GreyNoise analysis of Actuator scanning: `hxxps://viz.greynoise.io/query/tags:%22Spring%20Boot%20Actuator%20Crawler%22%20classification:%22malicious%22`
- GreyNoise analysis of health check scanning: `hxxps://viz.greynoise.io/tags/spring-boot-actuator-health-scanner?days=30`