The Spring Boot Framework contains a set of tools called actuators that will help you monitor and control your web application when deployed in production. If misconfigured, they can open a hidden door to your server, which is intended to be utilised for auditing, health, and metrics gathering.
When a Spring Boot application runs, it automatically registers numerous endpoints in the routing process (such as ‘/health,’ ‘/trace,’ ‘/beans,’ ‘/env,’ and so on). They are available without authentication for Spring Boot 1 - 1.4, raising serious security issues. All endpoints except ‘/health’ and ‘/info’ are deemed sensitive and secured by default starting with Spring version 1.5, but this security is frequently removed by application developers.
The majority of actuators merely respond to GET requests and provide sensitive configuration information. Spring Boot exposes the Jolokia Library via the ‘/jolokia’ actuator endpoint if it is on the target application’s classpath. All registered MBeans can be accessed over HTTP, and Jolokia is meant to execute the same activities as JMX.
The ‘reloadByURL’ action provided by the Logback library, allows us to reload the logging configuration from an external URL. Config is stored in an XML format, which Logback parses with External Entities enabled, making it vulnerable to blind XXE.
Mitigation / Precaution
In order to patch this vulnerability, please install the official patch the vendor made available for supported, vulnerable instances for Spring Boot framework
