post/2022-02/spring-boot-actuator-security-issues/

[utterances-bot]

Be Aware of Security Issues Raised by Spring Boot Actuator - Spring Cloud

Recently, we have been particularly disturbed by various security vulnerabilities, and we receive dozens of emails a week from security teams scanning for vulnerabilities. One of these vulnerabilities is easy to overlook, but has a very wide impact and is extremely harmful. You shouldn’t be surprised when I say its name, it’s the Spring Boot Actuator.
Before writing this article, I did a little survey with my friends asking them about their knowledge of the Spring Boot Actuator and the results were amazingly consistent.

https://www.springcloud.io/post/2022-02/spring-boot-actuator-security-issues/

[nandorholozsnyak]

Great post about the possible security risks of using the actuator project, just a few personal notes here:

• "Carefully evaluate the need to bring in spring-boot-stater-actuator. In my personal experience, I haven’t come across any requirements that necessarily require the introduction"

In my opinion, of once an application is brought to production, the actuator almost becomes a must to have the abilities to fine tune the app during runtime. I mean now log levels, which is a really cool thing to introduce debug or even trace level loggings even on UAT or production environment. I have faced scenarios where we said okay, lets just turn on the debug log for a few minutes, collect the neccessary information and turn it off. Without the actuator, it would require even a new commit into the application and a new deployment, or it would require environment variable hacking on the depoyment side, or in worst case, a custom development which would copy the logic probably from the actuator impementation.

When an app is in production, you want to have metrics stored somewhere, and the actuator package contains the Prometheus and the metrics endpoint which lets you scape it and build your own dashboards around that. Of course there is another way like with Prometheus Push Gateway, but thats another story. Actuator here is really helpful.

Health check. Of course, it can be also implemented by the app developer without the actuator, but actuator's health check is much more elegant as it can check external dependency health and make sure the app only running/working/serving requests if for example the database server is available.

Dynamic configuration properties - this is probably a hard topic, but if you would need to change something on the fly when if it is a configuration property, you would be able to do it. Like if you are stroring secrets in AWS or GCP, and reading this with the specific 3rd party library, you just have to change the secret and refresh the app context on the fly. Without the need of app restart or anything else.

• "Configure a separate access port for the endpoint".

This is okay(ish), but if you want to use Actuator's health check, in this case the health check will check that newly configured port's connection and not the main app's which will be falsy, and you won't be able to rely on it.

Security is super important, make sure a strong security is configured for your Actuators and at the same time if possible make sure only the necessary endpoints are published to the PUBLIC! You may say you need the /env and /configprops be available internally, for example in the company's VPN, make sure it is happening.
Of course, if it is not doable, make sure you test everything and do not let any 3rd party to gain access over your app :)

[nandorholozsnyak]

This is also a great discussion to check over here: codecentric/spring-boot-admin#3756