Description

Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.

Affected Spring Products and Versions

• Reactor Netty
  • 0.9 to 0.9.4
  • 0.8 to 0.8.15

Mitigation

Users of affected versions should apply the following mitigation: 0.9.x users should upgrade to 0.9.5 (reactor-bom Dysprosium SR-5), 0.8.x users should upgrade to 0.8.16 (reactor-bom Californium SR-16).  Note: Reactor Netty  0.9.5 and 0.8.16 depend on Netty 4.1.45+. Spring Boot applications should upgrade to 2.2.5 or 2.1.13 to use the above versions. No other steps are necessary. In some cases, after upgrading,  applications may experience authentication failures following a redirect to a different domain. If this happens applications may then need to explicitly configure the Reactor Netty HttpClient with a redirect request handler. Releases that have fixed this issue include:

• Reactor Netty
  • 0.8.16
  • 0.9.5

Credit

This issue was identified and responsibly reported by Ludwig Bedacht and Daniel Spruth from Volkswagen Group IT Services GmbH.

References

• https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

History

• 2020-02-27: Initial vulnerability report published.