VMware patches critical authorization bypass vulnerability in Spring Security

A critical authorization rules bypass vulnerability exists in Spring Security versions 5.7.0 to 5.7.4 and versions 5.6.0 to 5.6.8. The vulnerability gives attackers a way to potentially bypass an API gateway and access backend services with a simple “forward” [299 words].

What: VMware released Spring Security 5.6.9 and 5.7.5 on October 31 to fix the vulnerability (CVE-2022-31692), which has a base score of 9.8 out of a possible 10.0 on the CVSS scale. Spring’s disclosure described the vulnerability as allowing authorization rules to be “bypassed via forward or include in Spring Security” It has urged organizations using Spring Security to update as soon as possible. No technical details on the vulnerability have been released. But apparently, the vulnerability can only be triggered within the local network.

Why it matters: Spring Security is the defacto standard for securing Spring-based applications. It is the highly-customizable access-control and authentication middleware for Spring, VMware’s widely used Java framework. Spring is the most dominant framework in the Java ecosystem: 60% of all Java developers use it.

Something to keep an eye on:

API architect Owen Rubel claims the vulnerability has existed for years and impacts every API tool. According to “API gateways rely on REDIRECTS to check security for a call to another endpoint, but that security can be bypassed with a simple FORWARD,” he says. In a LinkedIn post, Rubel claimed has discussed this issue with AWS, Mulesoft, Mashery/Tibco. “They CAN’T fix it as it would make API Gateways useless,” he says.

Graphql uses a redirect for every endpoint call when stitching so can LITERALLY have hundreds of redirects with a single api call; one FORWARD for an endpoint call would bypass ALL of Graphqls rules,” he noted.

Vulnerability announcements:

NIST/NVD CVE-2022-31692 vulnerability detail

Spring announcement