CVE-2024-38821 FAQ

Why did we take our current approach to CVE-2024-38821?

CVE-2024-38821 details an authorization bypass of static resources in WebFlux applications.  Per Spring’s advisory on the matter(https://spring.io/security/cve-2024-38821)-

“Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

• It must be a WebFlux application
• It must be using Spring's static resources support
• It must have a non-permitAll authorization rule applied to the static resources support”

RadiantOne IDDM is not a WebFlux application, and therefore is not impacted by this vulnerability.

Is there additional context around this exploit?

While there is a wide range of material on the exploit at this point on the internet, we recommend a single blog on the exploit.

https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/ - Mouad Kondah performs an analysis of the exploit, and details the flow of attack across the framework, notably DispatcherHandler → SimpleHandlerAdapter → ResourceWebHandler → PathResourceResolver → Resource → Attacker Access.

Is RadiantOne IDDM going to have an updated version of Spring? 

We are currently testing RadiantOne IDDM with the latest Spring Security (5.7.3). An update will be released that contains these updated libraries.  It is being targeted for 7.4.13 and for respective releases of version 8.

Is Radiant Logic’s SaaS offering for IDDM impacted by this vulnerability?

Radiant Logic IDDM is not impacted for reasons stated above, but an update to the SaaS offering for IDDM will be released that encompasses the Spring Security update.

Is Identity Analytics Impacted by This?

Identity Analytics does not use the impacted libraries and is not impacted by this.

Is CFS Impacted by This?

No, CFS is a .NET product that does not use any Java libraries.