Description
Spring Boot Actuator provides built-in endpoints for monitoring and managing applications in production. While only the health and info endpoints are exposed by default, this application is configured to expose all Actuator endpoints using management.endpoints.web.exposure.include=*. This configuration makes sensitive management interfaces publicly accessible without proper access controls.
Remediation
Restrict Spring Boot Actuator endpoint exposure to only those endpoints required for your operational needs. Follow these steps to secure your configuration:
Step 1: Limit exposed endpoints in your application properties file (application.properties or application.yml):
# Only expose specific endpoints that are needed management.endpoints.web.exposure.include=health,info,metrics # Alternatively, exclude sensitive endpoints management.endpoints.web.exposure.exclude=heapdump,threaddump,env,shutdown
Step 2: Implement authentication and authorization for Actuator endpoints using Spring Security:
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.requestMatchers(EndpointRequest.to("health", "info")).permitAll()
.anyRequest().hasRole("ACTUATOR_ADMIN")
.and()
.httpBasic();
}
}
Step 3: Consider isolating Actuator endpoints on a separate management port accessible only from trusted networks:
# Expose actuator on a different port management.server.port=8081 management.server.address=127.0.0.1This configuration should be combined with network-level access controls (firewall rules) to restrict access to the management port.
References
Related Vulnerabilities
Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-0215)
Oracle JRE Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10356)
WordPress Plugin Customer Reviews for WooCommerce Multiple Vulnerabilities (5.3.5)