Quarkus 2.14.2.Final and 2.13.5.Final released - Fix for CVE-2022-4116

CVE-2022-4116 is a vulnerability in our Dev UI that could lead to remote code execution on the machine running the Dev UI, if you go to a carefully crafted webpage while the Dev UI is running.

While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box.

Joseph Beeton from Constrast Security explains the issue in detail in this blog post.

The easiest way to mitigate the issue is to upgrade to either 2.14.2.Final or 2.13.5.Final.

If you cannot upgrade right now, a possible workaround is to use a random path for the Quarkus Dev UI by moving all the non application endpoints to a random root:

The Dev UI is then available at the following URL: http://localhost:8080/<your random string>/dev/.

Note that this also affects other non application endpoints such as the health endpoints (but only in dev mode as we use the dev profile).

We would like to thank Joseph Beeton from Contrast Security for reporting responsibly this security issue, and providing both an in depth analysis of the problem and a reproducer.

You can get the full changelog of 2.14.2.Final and the one for 2.13.5.Final on GitHub.

私達は皆様からのフィードバックに重きを置いています。バグ報告、改善要望を是非お願いします。一緒に素晴らしいものを作り上げていきましょう!

Quarkusユーザーの場合でも、単に興味を持っているだけの場合でも、恥ずかしがらずにコミュニティに参加して下さい!: