Spring Boot Actuators (Jolokia) XXE

Rejah Rehim
Published on
01 Oct 2021
1 min read

The Spring Boot Framework contains a set of tools called actuators that will help you monitor and control your web application when deployed in production. If misconfigured, they can open a hidden door to your server, which is intended to be utilised for auditing, health, and metrics gathering.

When a Spring Boot application runs, it automatically registers numerous endpoints in the routing process (such as ‘/health,’ ‘/trace,’ ‘/beans,’ ‘/env,’ and so on). They are available without authentication for Spring Boot 1 - 1.4, raising serious security issues. All endpoints except ‘/health’ and ‘/info’ are deemed sensitive and secured by default starting with Spring version 1.5, but this security is frequently removed by application developers.

The majority of actuators merely respond to GET requests and provide sensitive configuration information. Spring Boot exposes the Jolokia Library via the ‘/jolokia’ actuator endpoint if it is on the target application’s classpath. All registered MBeans can be accessed over HTTP, and Jolokia is meant to execute the same activities as JMX.

The ‘reloadByURL’ action provided by the Logback library, allows us to reload the logging configuration from an external URL. Config is stored in an XML format, which Logback parses with External Entities enabled, making it vulnerable to blind XXE.

Mitigation / Precaution

In order to patch this vulnerability, please install the official patch the vendor made available for supported, vulnerable instances for Spring Boot framework

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment