CVE-2023-4639 - How a Cookie Parsing Bug in Undertow Could Let Attackers Steal HttpOnly Cookies

In the world of web security, small parsing bugs can open the door to major vulnerabilities. This is exactly what happened with CVE-2023-4639. The Undertow server, popular in Java environments and used in projects like JBoss and WildFly, was found to incorrectly parse cookies when certain value-delimiting characters were present in incoming requests. This flaw allows attackers to exfiltrate HttpOnly cookie values or spoof additional cookies, threatening both the confidentiality and integrity of web application data.

Let’s break down the vulnerability, see how it’s exploited, and learn how you can protect your applications.

What is Undertow?

Undertow is a flexible and high-performance web server written in Java. Many large Java frameworks and containers use it under the hood. Like all HTTP servers, Undertow is responsible for parsing cookies from incoming HTTP requests.

The Heart of CVE-2023-4639: The Cookie Parsing Flaw

According to the Red Hat advisory, Undertow fails to correctly handle cookie values that contain special delimiting characters—such as semicolons (;) or equal signs (=)—under certain conditions.

What does this mean?
If an attacker can control how cookies are sent to an application running on Undertow, they can craft a malicious cookie string that "escapes" the intended value boundaries. This makes the server think that a cookie value is part of another cookie, or vice versa.

This misinterpretation can allow an attacker to, for example, access a supposedly secret HttpOnly cookie that should never be visible from JavaScript, or trick the application into thinking a new cookie is present.

Say a legitimate request sets these cookies

Cookie: SID=abc123; SESSIONID=xyz789; HttpOnlySecret=hunter2

Suppose HttpOnlySecret is a sensitive cookie with the HttpOnly flag, making it inaccessible to JavaScript.

Due to the bug in Undertow, an attacker can craft a Cookie header like this

Cookie: attacker=foo; HttpOnlySecret=bar;SESSIONID=attacksession

But here's where it gets risky: Undertow's flawed parsing allows the attacker to "inject" extra semicolons, equals signs, or malformed values, making the application interpret the actual sensitive value as part of another cookie's value.

For example

Cookie: attacker=foo; HttpOnlySecret=bar;SESSIONID=attacksession;SID=; HttpOnlySecret

Depending on the application, this could splice or leak values between cookies. If sensitive values are logged or reflected, attackers might gain access to secrets they shouldn't see.

Here’s a simplified snippet (in Java-like pseudocode) of what might go wrong

public Map<String, String> parseCookies(String cookieHeader) {
    Map<String, String> cookies = new HashMap<>();
    for (String pair : cookieHeader.split(";")) {
        String[] parts = pair.split("=", 2); // Only split on first '='
        String name = parts[].trim();
        String value = parts.length > 1 ? parts[1].trim() : "";
        cookies.put(name, value);
    }
    return cookies;
}

If attackers inject a Cookie value containing special characters or confusing boundaries, the parser might treat part of the value as a new cookie name (or vice versa).

4. Possible Attack: Exfiltrate HttpOnly Cookie Value

If the undertow-based app echoes back cookie values or uses cookies in request parameters, an attacker can submit a request like:

Cookie: foo=bar; HttpOnlySecret=attackerValue

The parser may, due to flawed splitting, treat attackerValue as the legitimate value of HttpOnlySecret, potentially exposing it.

What can go wrong?

- Confidentiality: Attackers may access session tokens or HttpOnly cookies, stealing user sessions.
- Integrity: Attackers can spoof or overwrite legitimate cookies, causing misbehavior or escalation in the application.

Who is affected?

- Applications running on any version of Undertow that has not incorporated the fixed patch

Real-World Exploitation

Imagine a banking web app where SESSIONID is used for authentication. By tricking the server into misparsing cookies, an attacker can:

Spoof their own cookies to gain elevated privileges or access.

If the application ever reflects cookie values (e.g., in error reports or logs), attackers get an easy path to exploit.

Remediation

- Upgrade Undertow: The bug has been fixed in recent versions. See GitHub pull request #1457.

References

- CVE-2023-4639 MITRE record
- Red Hat Advisory
- Undertow Issue Tracker
- Undertow Security PR #1457

Conclusion

CVE-2023-4639 is a reminder: Even small bugs in core web infrastructure can lead to big security problems. If you operate Java applications on Undertow, patch immediately. And no matter which server you use, always be cautious with cookie handling and never trust client-supplied data.

Stay safe—and keep your cookies to yourself! 🍪


*Exclusively written for you, breaking down the latest Undertow vulnerability in plain American English.*

Timeline

Published on: 11/17/2024 11:15:05 UTC
Last modified on: 11/18/2024 17:11:17 UTC