UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Cadet 3rd Class
Cadet 3rd Class
249 views

Insecure Deployment: Unpatched Application

Hi, 

Our Web Inspect scan returns High vulnerability Insecure Deployment: Unpatched Application, vulnerability ID 11627. The vulnerability description is all about Spring Boot, but our web site does not use it. It is written in ASP.Net. Can anybody help me fix this issue?

How to verify or exploit the issue.

Browse to https://oursite.com:443/Shared/Find/heapdump to verify the vulnerability.
 

How this vulnerability affects you.

When a Spring Boot application is running, it automatically registers actuator endpoints into the routing process. For Spring Boot versions 1 - 1.4, several endpoints (such as ‘/trace', '/beans', '/env' and so on) are accessible without authentication, causing significant security issues. With Spring version 1.5 and later, all endpoints except for '/health' and '/info' are considered sensitive and secured by default. However, application developers can still disable this security.

How to remediate the issue.

Fix:
If you are using Spring Boot version 1.4 or earlier, upgrade to at least Spring Boot version 1.5.
Be sure to secure all actuator endpoints that can reveal sensitive information by granting access only to users with a dedicated role to prevent accidental exposure of endpoints to users with other roles.
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Short of marking it as a false positive and moving on, in order for us to make a more educated analysis we would need an export of the scan with traffic. As this is the case, opening a ticket with support would be in order to collect the information for further analysis.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.