CVE-2023-51650 – Hertzbeat versions before 1.4.1 have Spring Boo... (How to Fix)

Q: What is the severity of CVE-2023-51650?

CVE-2023-51650 has a CVSS score of 7.5 (HIGH). Hertzbeat versions before 1.4.1 have Spring Boot permission misconfigurations that allow unauthenticated access to three interfaces. This vulnerability enables attackers to access sensitive server information without authentication. All Hertzbeat deployments using affected versions are vulnerable.

📋 TL;DR

Hertzbeat versions before 1.4.1 have Spring Boot permission misconfigurations that allow unauthenticated access to three interfaces. This vulnerability enables attackers to access sensitive server information without authentication. All Hertzbeat deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

Hertzbeat

Versions: All versions before 1.4.1

Operating Systems: All platforms running Hertzbeat

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations of Hertzbeat before version 1.4.1.

📦 What is this software?

Hertzbeat by Apache

View all CVEs affecting Hertzbeat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to sensitive monitoring data, server configurations, and potentially pivot to other systems in the environment.

🟠

Likely Case

Unauthorized users access sensitive monitoring information and server details that could facilitate further attacks.

🟢

If Mitigated

Limited information disclosure if network segmentation restricts access, but authentication bypass remains.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly accessible to attackers without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop Hertzbeat service. 3. Update to version 1.4.1 or later. 4. Restart Hertzbeat service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Hertzbeat instances using firewall rules.

iptables -A INPUT -p tcp --dport [hertzbeat-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [hertzbeat-port] -j DROP

Reverse Proxy Authentication

all

Place Hertzbeat behind a reverse proxy with authentication enabled.

🧯 If You Can't Patch

Isolate Hertzbeat instances to internal networks only with strict firewall rules.
Implement network segmentation and monitor for unauthorized access attempts to Hertzbeat endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if accessing /api/account/auth/refresh, /api/monitors, or /api/alerts endpoints returns data without authentication.

Check Version:

Check Hertzbeat web interface or application logs for version information, or run: java -jar hertzbeat.jar --version

Verify Fix Applied:

After patching, verify that unauthenticated requests to vulnerable endpoints return 401/403 errors.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /api/account/auth/refresh, /api/monitors, or /api/alerts endpoints
Multiple 200 responses from unauthenticated sources

Network Indicators:

Unusual traffic patterns to Hertzbeat API endpoints from unauthorized sources
Data exfiltration from monitoring endpoints

SIEM Query:

source="hertzbeat" AND (uri_path="/api/account/auth/refresh" OR uri_path="/api/monitors" OR uri_path="/api/alerts") AND http_status=200 AND NOT authenticated_user=*

📊 Metadata

CVE ID: CVE-2023-51650

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

Published: December 22, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/dromara/hertzbeat/releases/tag/v1.4.1 Release Notes
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2 Exploit,Vendor Advisory
https://github.com/dromara/hertzbeat/releases/tag/v1.4.1 Release Notes
https://github.com/dromara/hertzbeat/security/advisories/GHSA-rrc5-qpxr-5jm2 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51650, you might also want to check these: