The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.

Blog Quarkus 2.14.2.Final and 2.13.5.Final released - Fix for CVE-2022-4116

November 28, 2022 #release

Quarkus 2.14.2.Final and 2.13.5.Final released - Fix for CVE-2022-4116

By Guillaume Smet

Today, we are announcing the release of Quarkus 2.14.2.Final and Quarkus 2.13.5.Final.

Both releases fix CVE-2022-4116 which has been rated as severity high.

This fix also hardens CORS handling, including changing 200 OK to 403 FORBIDDEN when a CORS request is rejected because of an invalid origin.

It is highly recommended to upgrade to these new versions:

  • 2.14.2.Final contains this fix and several others

  • 2.13.5.Final targets the 2.13 branch and contains this fix only

Users of the Red Hat Build of Quarkus should update to the latest 2.7.6.Final-redhat-00012.

About CVE-2022-4116

CVE-2022-4116 is a vulnerability in our Dev UI that could lead to remote code execution on the machine running the Dev UI, if you go to a carefully crafted webpage while the Dev UI is running.

While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box.

Joseph Beeton from Constrast Security explains the issue in detail in this blog post.

Mitigations

The easiest way to mitigate the issue is to upgrade to either 2.14.2.Final or 2.13.5.Final.

If you cannot upgrade right now, a possible workaround is to use a random path for the Quarkus Dev UI by moving all the non application endpoints to a random root:

%dev.quarkus.http.non-application-root-path=<your random string>

The Dev UI is then available at the following URL: http://localhost:8080/<your random string>/dev/.

Note that this also affects other non application endpoints such as the health endpoints (but only in dev mode as we use the dev profile).

Credits

We would like to thank Joseph Beeton from Contrast Security for reporting responsibly this security issue, and providing both an in depth analysis of the problem and a reproducer.

Full changelog

You can get the full changelog of 2.14.2.Final and the one for 2.13.5.Final on GitHub.

Come Join Us

We value your feedback a lot so please report bugs, ask for improvements…​ Let’s build something great together!

If you are a Quarkus user or just curious, don’t be shy and join our welcoming community:

Quarkus is open. All dependencies of this project are available under the Apache Software License 2.0 or compatible license.

This website was built with Jekyll, is hosted on GitHub Pages and is completely open source. If you want to make it better, fork the website and show us what you’ve got.

Navigation
Follow Us
Get Help
Languages
Quarkus is made of community projects
CC by 3.0 | Privacy Policy Sponsored by