CVE-2023-34034 is another authorization bypass in Spring Security. Like CVE-2022-31692 it’s nasty because it allows completely unrestricted access to supposedly protected resources. Also like CVE-2022-31692 it requires very specific configuration to be vulnerable and is easily fixed.
This post demonstrates the vulnerability, the problem configuration and suggested fixes. A demonstration vulnerable application is on GitHub.
CVE-2022-31692 is a vulnerability in Spring Security that allows authorization bypass when running with specific configurations. The good news is that only very specific configurations are exploitable. However, if you’ve configured Spring Security in this way, attackers can access protected resources without authorization.
When an application loads classes using multiple ClassLoaders, unexpected behaviours can arise. For example, consider a class loaded by two different classloaders: Result is: All…
If you’re invoking external processes with Runtime.getRuntime().exec() or ProcessBuilder.start(), it is vitally important to handle the standard out and standard error streams. Otherwise, the parent process may block – it gets stuck without throwing an Exception to tell you why.
How do you delete a directory in Java? java.io.File defines a method delete() that deletes a file or directory:
public void delete(File dir) {
dir.delete();
}
If only it were that simple.
CVE-2022-42889 Text4Shell is a vulnerability in the Apache Commons Text library. Like previous brand-name vulnerabilities Log4Shell and Spring4Shell, it’s a Remote Code Execution (RCE) vulnerability that allows a bad actor to run arbitrary code on the host machine. However it’s less likely to be exploitable as it requires a very specific use of the library to be vulnerable.
It affects Apache Commons Text 1.5 to 1.9 and was fixed in 1.10. However, as we’ll see later the application code can still be vulnerable to other attacks even in the fixed version.
Here’s a silly gotcha in the Java language. I’ve got a method that parses a String to an int and returns a default value if the String cannot be parsed:
int parseOrDefault(String val, int def) {
try {
return Integer.parseInt(val);
} catch (NumberFormatException e) {
return def;
}
}
Using JUnit for testing System.exit() calls from application code can be tricky. This is because System.exit() terminates the JVM running it. If you’re running JUnit, this is the JUnit runner. If JUnit invokes System.exit() in application code it will end your test without deciding a success / fail status and will also terminate the test run.
The Redis SCAN command allows you to iterate over the key space. On a single Redis node you can SCAN all keys or just keys matching a pattern. It’s a slow operation: O(N) where N is the number of keys in the database. However, it can be useful when you want to view every item in the database or when there’s no way to find your values without traversing everything. Due to the way that Redis shards data though, it may be difficult to SCAN keys on a Redis Cluster. It is possible but it takes a little more work.