Spring Security Advisories

CVE-2023-20859: Insertion of Sensitive Information into Log Sourced from Failed Revocation of Tokens

MEDIUM | MARCH 20, 2023 | CVE-2023-20859

Description

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

Specifically, an application is vulnerable when all of the following are true:

  • The authentication mechanism creates Batch tokens.
  • Usage of LifecycleAwareSessionManager in an imperative-only arrangement.
  • LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook
  • The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set at least to WARN or a more detailed logging level.
  • The token revocation fails because either of:
    • A vault error response that batch tokens cannot be revoked
    • An I/O error occurs

An application is not vulnerable if any of the following is true:

  • The application uses ReactiveSessionManager in a mixed reactive/imperative or reactive-only arrangement.
  • LifecycleAwareSessionManager.destroy() is never called by the application or the application shutdown hook
  • The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set to ERROR or higher, such as OFF.
  • The authentication mechanism creates Service tokens.

Affected Spring Products and Versions

  • Spring Vault
    • 3.0.0 to 3.0.1
    • 2.3.0 to 2.3.2 and older versions
  • Spring Cloud Vault
    • 4.0.0
    • 3.1.0 to 3.1.2 and older versions
  • Spring Cloud Config
    • 4.0.0 to 4.0.1
    • 3.1.0 to 3.1.6 and older versions

Mitigation

Users of affected versions should apply the following mitigation.

  • Spring Vault 3.0.x users should upgrade to 3.0.2. When consuming Spring Vault transitively, pin the dependency version of spring-vault-core to 3.0.2.
  • Spring Vault 2.3.x users should upgrade to 2.3.3. When consuming Spring Vault transitively, pin the dependency version of spring-vault-core to 2.3.3
  • All other users should either use service tokens or increase the logging level to at least ERROR for the org.springframework.vault.authentication.LifecycleAwareSessionManager logger.

No other steps are necessary.

Releases that have fixed this issue include:

  • Spring Vault
    • 3.0.2
    • 2.3.3

Credit

This issue was identified and responsibly reported by Martin Kiesel.

History

  • 2023-03-20: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all