Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?

Question 1

Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?

spring-boot-actuator fortify

Rafeek Muhammed · Oct 23, 2018 · Viewed 8.5k times · Source

Answer

Answer

I suspect that the issue is being raised by Fortify not because of spring-boot-starter-actuator itself but its transitive dependency on Jackson which contains a deserialization of untrusted data vulnerability. However, for an application to be vulnerable a non-default, and probably quite unusual, set of circumstances have to be true. You can learn more about those circumstances in this blog post from Jackson's author. Spring Boot's Actuator does not enable polymorphic type handling so, if the Fortify warning is due to Jackson, it is a false positive.

The vulnerability has been fixed in Jackson 2.9.7 by blocking certain classes from polymorphic deserialisation. Spring Boot 2.0.6 and 2.1.0 use Jackson 2.9.7 by default.

Question 2

I am using the below actuator dependency

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

with spring boot 2,

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.5.RELEASE</version>
</parent>

Any comments on the fortify related vulnerabilities, or do we have any justifications for getting a false-positive regarding fortify issue.

Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?

Answer

Related questions