Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Spring Boot Misconfiguration: Admin MBean Enabled
Abstract
The Spring Boot application is configured to expose an administration MBean.
Explanation
Spring Boot allows developers to enable admin-related features for the application by specifying the
Note: If using a JRE version vulnerable to CVE-2016-3427 (fixed in Java 8 Update 91, April 2016), an attacker will be able to pass any serialized Java object as the credentials, which may lead to arbitrary code execution when the remote JVM deserializes it.
spring.application.admin.enabled property. This exposes the SpringApplicationAdminMXBean on the platform MBeanServer. Developers could use this feature to administer the Spring Boot application remotely, however this feature exposes an additional attack surface in the form of a remote JMX endpoint. Depending on the configuration of the MBeanServer the MBean can be exposed locally or remotely, and may or may not require authentication. In the worst case, attackers will be able to manage the application remotely, including shutting it down without any authentication. In the best case, the service will be as strong as the credentials used to protect the server.Note: If using a JRE version vulnerable to CVE-2016-3427 (fixed in Java 8 Update 91, April 2016), an attacker will be able to pass any serialized Java object as the credentials, which may lead to arbitrary code execution when the remote JVM deserializes it.
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.3.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.3.1
[11] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_admin_mbean_enabled