As developers, we rely on libraries to help us save time and effort when building our applications. However, sometimes, libraries themselves may contain security vulnerabilities that could put our applications at risk. That's the case of AsyncHttpClient (AHC) library for Java. If your project relies on this library for making HTTP requests, you may want to keep reading this post!

Understanding the Vulnerability: CVE-2024-53990

The AHC library, available on its GitHub repository, is a very helpful asset for Java applications when it comes to executing HTTP requests and asynchronously dealing with responses. However, the library presents a security risk that impacts services running multiple user sessions.

The issue exists in the way AHC uses the CookieStore, also known as the "cookie jar." A vulnerability was recently discovered and assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-53990. The vulnerability occurs when the cookie jar silently replaces explicitly defined Cookies with any cookie of the same name from the cookie jar.

For applications that operate with multiple users, this might lead to one user's Cookie being used for another user's requests, which could cause sensitive data leakage or unauthorized access in the application.

Exploit Details

To fully understand the vulnerability, consider the following code snippet that sends an HTTP request using the AHC library:

import org.asynchttpclient.*;

public class HttpClient {
    public static void main(String[] args) throws Exception {
        AsyncHttpClient asyncHttpClient = new DefaultAsyncHttpClient();

        try {
            asyncHttpClient.prepareGet("https://example.com/api";)
                    .setHeader("Cookie", "sessionID=123456789")
                    .execute()
                    .toCompletableFuture()
                    .thenAccept(System.out::println)
                    .join();
        } finally {
            asyncHttpClient.close();
        }
    }
}

In the code above, the developer intended to send a specific sessionID cookie value in the HTTP request. However, due to the vulnerability in the AHC library, an unintended session ID may get sent in place of the expected one.

Let's assume user A logged into the application, and its sessionID was stored in the cookie jar. When user B logs in and executes the same request, AHC will automatically replace user B's sessionID with user A's from the cookie jar, potentially allowing user B to access user A's data.

Mitigation

To protect your application against this vulnerability, consider taking one or more of the following steps:

1. Keep the AHC library up to date. Regularly check for updates or security patches on the official GitHub repository.

2. Disable the automated CookieStore and manage the cookies manually, controlling which cookies are sent in each request. You can do this by adding a CookieStore implementation that does not store cookies:

AsyncHttpClient asyncHttpClient = new DefaultAsyncHttpClient(config);

// ...

}

}

`

3. Consider using an alternative Java HTTP client library, such as OkHttp or Apache HttpComponents, if your application deals with multiple user sessions or sensitive data.

Conclusion

CVE-2024-53990 is a noteworthy security vulnerability found in the AsyncHttpClient (AHC) library for Java applications. It can lead to sensitive data leakage and unauthorized access in applications operating with multiple users. Developers should be aware of this issue and take the appropriate steps to mitigate the risks involved.

In addition to the mentioned strategies, always follow the best practices for secure application development, such as regularly auditing your codebase and dependencies and keeping up to date with the latest security patches and industry-standard guidelines.

Timeline

Published on: 12/02/2024 18:15:11 UTC