Quarkus 2.14.2.Final and 2.13.5.Final released - Fix for CVE-2022-4116
Today, we are announcing the release of Quarkus 2.14.2.Final and Quarkus 2.13.5.Final.
Both releases fix CVE-2022-4116 which has been rated as severity high.
This fix also hardens CORS handling, including changing 200 OK to 403 FORBIDDEN when a CORS request is rejected because of an invalid origin.
It is highly recommended to upgrade to these new versions:
-
2.14.2.Final contains this fix and several others
-
2.13.5.Final targets the 2.13 branch and contains this fix only
Users of the Red Hat Build of Quarkus should update to the latest 2.7.6.Final-redhat-00012.
About CVE-2022-4116
CVE-2022-4116 is a vulnerability in our Dev UI that could lead to remote code execution on the machine running the Dev UI, if you go to a carefully crafted webpage while the Dev UI is running.
While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box.
Joseph Beeton from Constrast Security explains the issue in detail in this blog post.
Mitigations
The easiest way to mitigate the issue is to upgrade to either 2.14.2.Final or 2.13.5.Final.
If you cannot upgrade right now, a possible workaround is to use a random path for the Quarkus Dev UI by moving all the non application endpoints to a random root:
%dev.quarkus.http.non-application-root-path=<your random string>
The Dev UI is then available at the following URL: http://localhost:8080/<your random string>/dev/
.
Note that this also affects other non application endpoints such as the health endpoints (but only in dev mode as we use the dev
profile).
Credits
We would like to thank Joseph Beeton from Contrast Security for reporting responsibly this security issue, and providing both an in depth analysis of the problem and a reproducer.
完全な変更履歴
You can get the full changelog of 2.14.2.Final and the one for 2.13.5.Final on GitHub.
参加のお誘い
私達は皆様からのフィードバックに重きを置いています。バグ報告、改善要望を是非お願いします。一緒に素晴らしいものを作り上げていきましょう!
Quarkusユーザーの場合でも、単に興味を持っているだけの場合でも、恥ずかしがらずにコミュニティに参加して下さい!:
-
GitHub でフィードバック
-
コードを作成し、 プルリクエスト を送信
-
Stack Overflow で質問