A new research report from Wiz Threat Research has uncovered widespread security risks in Spring Boot Actuator implementations, affecting numerous cloud environments. The investigation reveals that 60% of cloud environments utilize Spring Boot Actuator, with 11% exposing instances publicly to the internet, creating significant security vulnerabilities.
The research identifies several critical misconfigurations that could allow attackers to access sensitive information and potentially execute remote code. Of particular concern, 24% of environments with exposed Actuators were found to have misconfigured instances that could be exploited.
 |
| image by wiz |
According to Shodan data cited in the report, approximately 92,000 endpoints worldwide are currently running Spring Boot Actuator.
More alarmingly, GreyNoise observed around 1,000 malicious IP addresses actively scanning for Spring Boot Actuator endpoints in the past 30 days, with 95% of these addresses specifically targeting the health check directory.
Spring Boot is a popular framework designed to simplify the development of Java applications by providing a streamlined approach to building production-ready applications, while Spring Boot Actuator is a specialized module within Spring Boot that enhances the functionality of Spring Boot applications by providing critical insights into the applications' health and operational status.
This allows developers to monitor application metrics, manage configurations and gain real-time visibility into performance and resource usage.
The research highlights three primary security concerns: exposed HeapDump files, vulnerable gateway endpoints leading to Remote Code Execution (RCE), and exposed environment variables.
The HeapDump endpoint, found in 2.3% of exposed instances, can leak sensitive credentials including cloud keys, tokens, and passwords when misconfigured.
A particularly severe vulnerability exists in Spring Cloud Gateway versions 3.1.0 and 3.0.0 to 3.0.6 (CVE-2022-22947), affecting 28% of cloud environments using Spring Cloud Gateway. This vulnerability, combined with misconfigured gateway endpoints, can enable remote code execution attacks.
The env endpoint exposure, affecting 4% of publicly accessible Spring Boot Actuator applications, can reveal critical configuration details including database credentials, API keys, and cloud access tokens.
To mitigate these risks, the researchers recommend implementing proper authentication mechanisms, restricting access to sensitive endpoints, and keeping Spring Boot Actuator and associated libraries up to date.
Organizations are advised to review their Spring Boot Actuator configurations, especially in cloud environments, and ensure that sensitive endpoints are not publicly exposed without authentication.
The research emphasizes that while these misconfigurations might not have been widely exploited yet, they represent significant security risks that could be leveraged by threat actors for initial access, lateral movement, and privilege escalation in cloud environments.