How to remediate – Spring Boot Actuator Sensitive Endpoints Detected

1. Introduction

Spring Boot Actuator Sensitive Endpoints Detected refers to exposed endpoints within a Spring Boot application that provide monitoring and management access. These endpoints, while useful for developers, can reveal sensitive information if accessible without proper security measures. This affects applications using the Spring Boot framework, particularly those with default configurations. A successful exploit could lead to information disclosure, denial of service, or remote code execution.

2. Technical Explanation

Spring Boot Actuator endpoints are enabled by default and provide access to internal application details. The ‘env’, ‘configprops’, ‘heapdump’, ‘restart’, and ‘shutdown’ endpoints are particularly sensitive. An attacker can remotely access these endpoints if they are not protected, potentially gaining information about environment variables, application configuration, memory contents, or even triggering a shutdown. The root cause is often insufficient access control on these endpoints.

• Root cause: Lack of authentication and/or authorization for sensitive Actuator endpoints.
• Exploit mechanism: An attacker sends HTTP requests to exposed endpoints (e.g., http://example.com/actuator/env) to retrieve sensitive data or trigger actions.
• Scope: Spring Boot applications versions 2.0 and later are affected, especially those using default configurations.

3. Detection and Assessment

Confirming vulnerability involves checking if sensitive endpoints are publicly accessible. A quick check can identify exposed endpoints, while a thorough method verifies access control.

• Quick checks: Use curl or a web browser to attempt access to common sensitive endpoints like /actuator/env and /actuator/heapdump.
• Scanning: Nessus plugin ID 16329 can identify exposed Spring Boot Actuator endpoints. This is an example only, results should be verified manually.
• Logs and evidence: Check application logs for access attempts to Actuator endpoints from unexpected sources.

curl http://example.com/actuator/env

4. Solution / Remediation Steps

The solution involves disabling unnecessary endpoints and restricting access to sensitive ones. This reduces the attack surface and protects application data.

4.1 Preparation

• Back up your application.properties or application.yml file before making changes. Stop the Spring Boot application if possible, but it may not be required for all configurations.
• Ensure you have access to modify the application configuration. A roll back plan is to restore the backed-up configuration file and restart the application.
• Changes should be deployed during a scheduled maintenance window with appropriate approval from IT security or development teams.

4.2 Implementation

1. Step 1: Edit your application.properties or application.yml file to disable unnecessary endpoints using the property management.endpoint.actuator.enabled=false.
2. Step 2: If you need specific endpoints, explicitly enable them with properties like management.endpoint.health.show=true and management.endpoint.info.show=true.
3. Step 3: Secure sensitive endpoints by limiting access to known IP addresses using the property management.endpoint.actuator.access-origin=* (replace * with specific IPs or networks).

4.3 Config or Code Example

Before

# application.properties
management.endpoints.web.exposure.include=*

After

# application.properties
management.endpoints.web.exposure.include=health,info
management.endpoint.actuator.access-origin=192.168.1.0/24,10.0.0.0/16

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.

• Practice 1: Least privilege – restrict access to sensitive endpoints to only authorized users or systems.
• Practice 2: Secure defaults – configure Spring Boot applications with minimal functionality enabled by default, requiring explicit activation of features.

4.5 Automation (Optional)

If suitable, provide a small script or infrastructure code that applies the fix at scale. Only include if safe and directly relevant.

# Example Ansible task to modify application.properties
- name: Secure Spring Boot Actuator endpoints
  copy:
    src: actuator_secure.properties
    dest: /path/to/application.properties
    owner: appuser
    group: appgroup
    mode: 0644
  notify: Restart Spring Boot application

5. Verification / Validation

Confirm the fix by verifying that sensitive endpoints are no longer accessible from unauthorized sources and that authorized access is still functional.

• Post-fix check: Use curl to attempt access to a previously exposed endpoint (e.g., /actuator/env). Expect an HTTP 403 Forbidden error or connection refused.
• Re-test: Re-run the quick check from Section 3 to confirm that sensitive endpoints are no longer accessible without authentication.
• Smoke test: Verify that authorized users can still access necessary endpoints (e.g., health and info).
• Monitoring: Monitor application logs for unauthorized access attempts to Actuator endpoints, looking for HTTP 403 errors or connection refused messages from unexpected IP addresses.

curl http://example.com/actuator/env - should return a 403 Forbidden error

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to include secure configuration settings for Spring Boot Actuator endpoints.
• Asset and patch process: Implement a regular review cycle for application configurations, ensuring that security best practices are followed.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Disabling necessary endpoints may impact monitoring capabilities. Ensure you only disable endpoints that are not required for application operation.
• Roll back: Restore the backed-up application.properties or application.yml file and restart the Spring Boot application.

8. References and Resources

Link only to sources that match this exact vulnerability. Use official advisories and trusted documentation.

• Vendor advisory or bulletin: https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.enabling
• NVD or CVE entry: No specific CVE is associated with this general configuration issue, but CWE-538 covers sensitive data exposure.
• Product or platform documentation relevant to the fix: https://docs.spring.io/spring-boot/docs/current/reference/html/actuator