CVE-2023-4853

Q: What is the severity of CVE-2023-4853?

CVE-2023-4853 has a CVSS score of 8.1 (HIGH). This vulnerability in Quarkus allows attackers to bypass HTTP security policies by using specially crafted character permutations in requests. Affected systems could experience unauthorized access to protected endpoints and potential denial of service. Organizations using vulnerable versions of Quarkus with HTTP security policies enabled are at risk.

8.1 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability in Quarkus allows attackers to bypass HTTP security policies by using specially crafted character permutations in requests. Affected systems could experience unauthorized access to protected endpoints and potential denial of service. Organizations using vulnerable versions of Quarkus with HTTP security policies enabled are at risk.

💻 Affected Systems

Products:

Quarkus

Versions: Versions prior to 2.16.6.Final, 3.2.6.Final, and 3.6.4

Operating Systems: All platforms running Quarkus

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Quarkus HTTP security policies. The vulnerability is present in default configurations when security policies are enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of all HTTP security policies leading to unauthorized access to sensitive endpoints, data exfiltration, and denial of service through resource exhaustion.

🟠

Likely Case

Partial bypass of security policies allowing unauthorized access to some protected endpoints, potentially exposing sensitive data or functionality.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication layers, and request validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with character permutations that bypass security policy evaluation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Quarkus 2.16.6.Final, 3.2.6.Final, or 3.6.4

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:5170

Restart Required: Yes

Instructions:

1. Identify current Quarkus version. 2. Update to patched version (2.16.6.Final, 3.2.6.Final, or 3.6.4). 3. Restart the Quarkus application. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement a custom HTTP filter to sanitize and validate request parameters before security policy evaluation

Implement custom javax.servlet.Filter or equivalent in Quarkus to validate/sanitize request parameters

WAF Rule

all

Configure Web Application Firewall to block requests with suspicious character permutations

Add WAF rule to detect and block patterns like %0A, %0D, %09, %20 in URL parameters

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable Quarkus instances from sensitive systems
Add additional authentication/authorization layers (API gateway, reverse proxy with auth) in front of Quarkus applications

🔍 How to Verify

Check if Vulnerable:

Check Quarkus version with: java -jar your-app.jar --version or examine pom.xml/gradle.build for Quarkus version

Check Version:

java -jar your-app.jar --version | grep -i quarkus

Verify Fix Applied:

Verify version is 2.16.6.Final, 3.2.6.Final, or 3.6.4 or later. Test security policies with crafted requests containing character permutations.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests with encoded characters (%0A, %0D, %09) accessing protected endpoints
Security policy evaluation failures or bypasses in application logs

Network Indicators:

HTTP requests with unusual character sequences in parameters/headers to Quarkus endpoints
Traffic patterns showing access to previously restricted endpoints

SIEM Query:

source="quarkus" AND ("security policy bypass" OR "unauthorized access" OR "%0A" OR "%0D" OR "%09")

📊 Metadata

CVE ID: CVE-2023-4853

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-148

Published: September 20, 2023

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2023:5170 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5310 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5337 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5446 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5479 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5480 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6107 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6112 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7653 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-4853 Mitigation,Vendor Advisory
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 Exploit,Mitigation,Technical Description,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2238034 Issue Tracking,Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5170 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5310 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5337 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5446 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5479 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5480 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6107 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6112 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7653 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-4853 Mitigation,Vendor Advisory
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 Exploit,Mitigation,Technical Description,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2238034 Issue Tracking,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Build Of Optaplanner by Redhat

Build Of Quarkus by Redhat

Decision Manager by Redhat

Integration Camel K by Redhat

Integration Camel Quarkus by Redhat

Integration Service Registry by Redhat

Jboss Middleware by Redhat

Jboss Middleware Text Only Advisories by Redhat

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Openshift Serverless by Redhat

Openshift Serverless by Redhat

Process Automation Manager by Redhat

Quarkus by Quarkus

Quarkus by Quarkus

Quarkus by Quarkus

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Filter

WAF Rule

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export