Headline
CVE-2023-20862: CVE-2023-20862: Empty SecurityContext Is Not Properly Saved Upon Logout
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Description
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout.
Specifically, an application is vulnerable when any of the following is true:
- You are using the SecurityContextHolderFilter or requireExplicitSave(true) and you are using Spring Security’s logout support with serialized sessions (e.g. Spring Session) and invalidateHttpSession(false)
- You are logging users out manually by saving an empty SecurityContext into the HttpSessionSecurityContextRepository
- You have a custom SecurityContextRepository that does not rely on the HttpSession
An application is not vulnerable if any of the following is true:
- You are still using the deprecated SecurityContextPersistenceFilter or requireExplicitSave(false)
- You are using Spring Security’s logout support with in-memory sessions.
- You are not saving an empty SecurityContext into the HttpSessionSecurityContextRepository
Affected Spring Products and Versions
Spring Security:
- 6.0.0 to 6.0.2
- 5.8.0 to 5.8.2
- 5.7.0 to 5.7.7
Mitigation
Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3. No other steps are necessary. Releases that have fixed this issue include:
Spring Security:
- 5.7.8
- 5.8.3
- 6.0.3
Credit
This issue was identified and responsibly reported by Daniel Furtlehner from Porsche Informatik.
References
- https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html#_require_explicit_saving_of_securitycontextrepository
- https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#store-authentication-manually
- https://docs.spring.io/spring-security/reference/5.8.3/servlet/authentication/session-management.html#properly-clearing-authentication
Related news
Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).