CVE-2023-5384
📋 TL;DR
This vulnerability in Infinispan exposes credentials in clear text when cache configurations containing sensitive data (like JDBC or remote store credentials) are serialized to XML, JSON, or YAML format. Any Infinispan deployment using affected configurations with credential storage is vulnerable to credential disclosure.
💻 Affected Systems
- Infinispan
📦 What is this software?
Data Grid by Redhat
Infinispan by Infinispan
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to database systems or remote stores, leading to data theft, data manipulation, or complete system compromise.
Likely Case
Unauthorized users access exposed configuration files and extract credentials, potentially compromising connected systems.
If Mitigated
With proper access controls and monitoring, credential exposure is detected before exploitation, limiting impact to isolated systems.
🎯 Exploit Status
Exploitation requires access to serialized configuration files or endpoints that output configuration data. No authentication bypass is needed if these are already accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific fixed versions (RHSA-2023:7676)
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7676
Restart Required: Yes
Instructions:
1. Update Infinispan to the patched version specified in Red Hat advisory. 2. Restart Infinispan services. 3. Verify credentials are no longer exposed in serialized configurations.
🔧 Temporary Workarounds
Disable configuration serialization
allPrevent serialization of cache configurations to XML/JSON/YAML formats that expose credentials.
Configure Infinispan to disable serialization of sensitive configurations or restrict access to serialization endpoints.
Remove credentials from configurations
allStore credentials in secure vaults instead of plain text in configurations.
Migrate JDBC and remote store credentials to external secure storage like HashiCorp Vault or Kubernetes Secrets.
🧯 If You Can't Patch
- Restrict access to configuration files and serialization endpoints using network segmentation and strict file permissions.
- Implement monitoring for unauthorized access to configuration files and review logs for credential exposure attempts.
🔍 How to Verify
Check if Vulnerable:
Serialize a cache configuration containing credentials to XML/JSON/YAML and check if credentials appear in clear text.Check Version:
Check Infinispan version via management console or command line: typically using Infinispan CLI or checking server logs.Verify Fix Applied:
After patching, serialize the same configuration and verify credentials are masked or not present.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to configuration files
- Log entries showing configuration serialization with credential exposure
Network Indicators:
- Unusual requests to configuration serialization endpoints
- Traffic patterns indicating configuration file access
SIEM Query:
Search for events where Infinispan configuration files are accessed or modified, especially those containing credential strings.🔗 References
- https://access.redhat.com/errata/RHSA-2023:7676
- https://access.redhat.com/security/cve/CVE-2023-5384
- https://bugzilla.redhat.com/show_bug.cgi?id=2242156
- https://access.redhat.com/errata/RHSA-2023:7676
- https://access.redhat.com/security/cve/CVE-2023-5384
- https://bugzilla.redhat.com/show_bug.cgi?id=2242156
- https://security.netapp.com/advisory/ntap-20240125-0004/
