Quarkus Dev UI CVE-2022-4116

[maxandersen]

We've just released fixes to Quarkus 2.14 and 2.13 to protect against CVE-2022-4116.

This issue affects anyone running Quarkus in dev mode.

Mitigation

The easiest way to mitigate the issue is to upgrade to either 2.14.2.Final or 2.13.5.Final.

See release blog for details.

A fix for Red Hat Build of Quarkus 2.7 will follow very soon.

If you cannot upgrade right now, a possible workaround is to use a random path for the Quarkus Dev UI by moving all the non application endpoints to a random root:

%dev.quarkus.http.non-application-root-path=<your random string>

The Dev UI is then available at the following URL: http://localhost:8080/<your random string>/dev/.

Note that this also affects other non application endpoints such as the health endpoints (but only in dev mode as we use the dev profile).

If you are not already using 2.14, please refer to our migration guide.

About CVE-2022-4116

CVE-2022-4116 is a vulnerability in our Dev UI that could lead to remote code execution on the machine running the Dev UI, if you go to a carefully crafted webpage while the Dev UI is running.

While it only affects dev mode, the impact is still high, as it could lead to an attacker getting local access to your development box.

We will link to a blog post explaining the issue in more details soon.

[jmini]

Even if Quarkus is mostly consumed as platform and it doesn't make sense to update a single jar, it would be interesting to know which exact jar (in terms of maven coordinates) is affected.

Some tools are relying on this information to issue warnings and give update hints.

I looked at different location:

---

Red Hat Advisory (vendor)
Source https://access.redhat.com/security/cve/cve-2022-4116

It mentions: package: quarkus_dev_ui.

Not sure what this is referring to.

---

GitHub Advisory (linked in this article)
GHSA-g56w-cwg4-hxx9

It mentions following artifact: io.quarkus:quarkus-parent (Maven).

This is good to have some maven GAV but the wrong one (in my opinion).

In a gradle-based build, I do not have any item with artifactId = quarkus-parent in my list of dependencies (returned by the ./gradlew dependencies command).

---

Snyk Vulnerability Database
https://security.snyk.io/vuln/SNYK-JAVA-IOQUARKUS-3147059

It mentions following artifact: io.quarkus:quarkus-vertx-http-deployment (also with Maven coordinates)

I can imagine this is correct, but I found no other sources confirming this information.

[maxandersen]

The artifact affected is io.quarkus:quarkus-vertx-http-deployment.

We've notified the others to update their artifact advisory.