I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.
Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)
In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.
Fix:
SpringBoot Actuator JMX endpoints may be disabled by adding the following properties
to the application.properties file:
endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*
Note: endpoints.jmx.enabled=false is deprecated
There's also a nice answer on MicroFocus
Related
There are Spring Boot project that uses a Netflix Servo to collect metrics and send to Graphite.
I want to send metrics with the Spring Boot Actuator on Graphite, such as number request per every endpoint and time of response for every request, instead of creating custom metric.
But I ran into the problem. When I use the library only spring-boot-starter-actuator, then the desired parameters displays:
but when I apply library spring-cloud-starter-eureka, displayed only time of response from servo:
If someone faced with this problem, can you explain why it happens and how to solve it?
I use such version Spring Boot - 1.5.9.RELEASE and Spring Cloud - Edgware.SR1.
I will be glad to any response)
Link to test project: https://github.com/rmartseniuk/spring-metric
How to configure Spring Boot Admin to log action. For example, I want Spring Boot Admin log action when someone change log level form INFO to DEBUG or when someone change configuration value in JMX tab and write wrong configure override the existing.
Do Spring Boot Admin has a feature to do that?
No it doesn't but you could write a zuul filter intercepting, analyzing the request to /api/applications/{id}/logfile and writing a log statement.
Spring Boot includes a number of additional features to help you
monitor and manage your application when it’s pushed to production.
You can choose to manage and monitor your application using HTTP
endpoints, with JMX or even by remote shell (SSH or Telnet). Auditing,
health and metrics gathering can be automatically applied to your
application.
Actuator HTTP endpoints are only available with a Spring MVC-based
application. In particular, it will not work with Jersey unless you
enable Spring MVC as well.
You can also activate a listener by invoking the SpringApplication.addListeners(…) method and passing the appropriate Writer object. This method also allows you to customize the file name and path via the Writer constructor.
Customize your requirement in Actuator
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready
Maven :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>1.5.2.RELEASE</version>
</dependency>
http://www.baeldung.com/spring-boot-authentication-audit
I am trying to enable a hystrix stream in a Spring Cloud service, using Camden.SR1 in a spring boot app.
I enable hystrix by having a compile-time dependency:
compile 'org.springframework.cloud:spring-cloud-starter-hystrix'
and by adding a #EnableHystrix in the Application configuration.
The /mappings actuator shows the /hystrix.stream endpoint available but when I do a GET on it, the request hangs indefinitely.
I have tried the same using Brixton.SR6 (thus using Spring Boot 1.3) and the hystrix.stream endpoint works as expected.
Am I doing something wrong or is this a regression?
This issue seems linked with the Hystrix issue described here: https://github.com/Netflix/Hystrix/issues/1117. The workaround detailed here solves it https://github.com/Netflix/Hystrix/issues/1117#issuecomment-192222569
/hystrix.stream becames available amongst the actuator endpoints (add spring-boot-starter-hateoas and browse to /actuator). Regardless of any hystrix-enabled functionality in this service, this advertised endpoint should not hang.
I'm setting up my Spring Boot application and I've managed to add API documentation using swagger following this tutorial
http://heidloff.net/article/usage-of-swagger-2-0-in-spring-boot-applications-to-document-apis/
It's all good I can see the endpoints and use the UI to hit them. Now I want to add somehow visibility of my logging file. I'm using logback with rolling file appender. Is it possible to configure swagger to start showing my logs?
I'm developing a webapplication with Spring-boot using embedded tomcat.
One of the requirements of this app is 2-way SSL (clientAuth).
Enabling ClientAuth is easy enough however we also like to use spring-boot Actuator for management of the app on a different port without clientAuth.
Is there is a clean way to do this?
(Disabling SSL on the actuator endpoints would also be enough)
According to latest spring docs, you can use
management.server.port=8080
management.server.ssl.enabled=false
in the properties to configure the management ports. see production-ready-management-specific-ssl in the spring boot doc for more options.