Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-20862: CVE-2023-20862: Empty SecurityContext Is Not Properly Saved Upon Logout

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

CVE
#vulnerability#perl#auth

Description

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout.

Specifically, an application is vulnerable when any of the following is true:

  • You are using the SecurityContextHolderFilter or requireExplicitSave(true) and you are using Spring Security’s logout support with serialized sessions (e.g. Spring Session) and invalidateHttpSession(false)
  • You are logging users out manually by saving an empty SecurityContext into the HttpSessionSecurityContextRepository
  • You have a custom SecurityContextRepository that does not rely on the HttpSession

An application is not vulnerable if any of the following is true:

  • You are still using the deprecated SecurityContextPersistenceFilter or requireExplicitSave(false)
  • You are using Spring Security’s logout support with in-memory sessions.
  • You are not saving an empty SecurityContext into the HttpSessionSecurityContextRepository

Affected Spring Products and Versions

Spring Security:

  • 6.0.0 to 6.0.2
  • 5.8.0 to 5.8.2
  • 5.7.0 to 5.7.7

Mitigation

Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3. No other steps are necessary. Releases that have fixed this issue include:

Spring Security:

  • 5.7.8
  • 5.8.3
  • 6.0.3

Credit

This issue was identified and responsibly reported by Daniel Furtlehner from Porsche Informatik.

References

  • https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html#_require_explicit_saving_of_securitycontextrepository
  • https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#store-authentication-manually
  • https://docs.spring.io/spring-security/reference/5.8.3/servlet/authentication/session-management.html#properly-clearing-authentication

Related news

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Apple iOS, Google Android Patch Zero-Days in July Security Updates

Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907