CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets

HIGH | JULY 17, 2023 | CVE-2023-34035

Description

Severity is high unless otherwise noted.

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5 and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) or requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet.

(DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)

Specifically, an application is vulnerable when all of the following are true:

  • Spring MVC is on the classpath
  • Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
  • The application uses requestMatchers(String) or requestMatchers(HttpMethod, String)

An application is not vulnerable if any of the following is true:

  • The application does not have Spring MVC on the classpath
  • The application secures no servlets other than Spring MVC’s DispatcherServlet
  • The application does not use requestMatchers(String) or requestMatchers(HttpMethod, String)

Affected Spring Products and Versions

  • Spring Security 5.8.0 to 5.8.4
  • Spring Security 6.0.0 to 6.0.4
  • Spring Security 6.1.0 to 6.1.1

Mitigation

Users of affected versions should apply the following mitigations.

First:

  • 5.8.x users should upgrade to 5.8.5
  • 6.0.x users should upgrade to 6.0.5
  • 6.1.x users should upgrade to 6.1.2

Second, if you are using multiple servlets and one of them is Spring MVC’s DispatcherServlet, you may see the following error message at startup time:

This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use `requestMatchers(MvcRequestMatcher)`;
otherwise, please use `requestMatchers(AntPathRequestMatcher)`.

Sometimes these extra servlets are not needed. For example, some servlet containers will add a DefaultServlet that DispatcherServlet effectively replaces. In many cases, such a servlet can be removed from your container's global configuration.

If the extra servlets are not needed, please try and remove them and see if the error persists. If it does, please follow the instructions in the error message.

For several examples of how to address the error message, please see the following mitigation repo.

Credit

This issue was identified and responsibly reported by senior software engineer Mouad Kondah from Kudelski Security.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all