Beware of Spring Boot Actuator Endpoint env: A Security Alert

As a developer, securing your applications should be a top priority. One area that often goes unnoticed in Spring Boot applications is the Actuator env endpoint. In this blog post, we will explore the potential security issues associated with this endpoint and provide tips on how to mitigate these risks.

What is Spring Boot Actuator?

Spring Boot Actuator is a sub-project of Spring Boot that provides a set of built-in endpoints for monitoring and managing your application. These endpoints expose various metrics, health checks, and other useful information about the state of the application.

Main Actuator Endpoints

Here are some of the primary endpoints provided by Spring Boot Actuator:

  • /actuator/health: Displays the health status of the application.
  • /actuator/info: Provides arbitrary application information.
  • /actuator/metrics: Exposes metrics about the application.
  • /actuator/loggers: Shows and modifies the logging levels of the application.
  • /actuator/threaddump: Provides a thread dump of the application.
  • /actuator/httptrace: Displays HTTP trace information.
  • /actuator/env: Exposes the properties and environment variables of the application.

Security Risks of the env Endpoint

Information Exposure

The /actuator/env endpoint exposes a wealth of information, including application properties and environment variables. This can include sensitive data such as database credentials, API keys, cloud credentials and other secrets. In the wrong hands, this information can be used to compromise the application and its underlying infrastructure.

Misconfiguration Risks

Even though Spring Boot 3 has improved the security of the env endpoint by disabling it by default and sanitizing secrets, misconfigurations can still occur. For instance, developers might unintentionally expose the env endpoint by using a broad inclusion pattern in their configuration:

management.endpoints.web.exposure.include=*

This setting will expose all actuator endpoints, including the potentially dangerous env endpoint, to unauthenticated access. As a result, sensitive data can be retrieved by making a simple HTTP request to the env endpoint.

Changes in Spring Boot 3

With the release of Spring Boot 3, the env endpoint is disabled by default. Additionally, when the env endpoint is enabled, sensitive information is sanitized by default. This is a significant improvement in terms of security. However, developers must still be vigilant about their configurations.

Example of Default Sanitization in Spring Boot 3

In Spring Boot 3, even when the env endpoint is enabled, secrets are sanitized. For example:

{
  "propertySources": [
    {
      "name": "systemProperties",
      "properties": {
        "my.secret": {
          "value": "******"
        }
      }
    }
  ]
}

Common Mistakes and Oversights

  1. Exposing Actuator Endpoints Without Authentication: It is common to find actuator routes exposed without proper authentication, especially in development environments. This can lead to unintended data exposure in production if not properly configured.
  2. Broad Inclusion Patterns: Using patterns like management.endpoints.web.exposure.include=* can expose more endpoints than intended, including the env endpoint.
  3. Overlooking Environment-specific Configurations: Developers might configure security settings for one environment (e.g., development) and forget to adjust them for production, leading to unintended exposures.

Best Practices for Securing Actuator Endpoints

Enable Only Necessary Endpoints: Explicitly specify which endpoints should be exposed. For example:

management.endpoints.web.exposure.include=health,info

Use Authentication and Authorization: Secure actuator endpoints with authentication and authorization mechanisms. For example, using Spring Security to restrict access:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll()
            .requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
            .and()
            .httpBasic();
    }
}

Sanitize Sensitive Data: Ensure that sensitive data is sanitized and not exposed in actuator endpoints. Spring Boot provides out-of-the-box support for secret keys who match the pattern password, secret, key, token, .*credentials.*, vcap_services, sun.java.command, but custom sanitization can be added by the property management.endpoint.env.keys-to-sanitize if necessary.

Review Configuration Regularly: Regularly review your application’s configuration to ensure that no sensitive information is unintentionally exposed.

Use Environment-specific Properties: Configure actuator settings separately for different environments to prevent development settings from leaking into production.

Conclusion

The Spring Boot Actuator env endpoint can be a valuable tool for monitoring and managing applications. However, it also poses significant security risks if not properly configured. By understanding these risks and following best practices, you can ensure that your applications remain secure while leveraging the powerful features of Spring Boot Actuator.

Stay vigilant, regularly review your configurations, and always prioritize security in your application development and deployment processes.