Spring Boot Actuator v2
Description
Spring Boot Actuator provides production-ready endpoints for monitoring and managing applications. In version 2.x, these endpoints expose operational information such as application health, configuration properties, environment variables, bean definitions, request mappings, and metrics. While valuable for operations teams, these endpoints can inadvertently expose sensitive information when left accessible without proper authentication or when exposed to untrusted networks. This vulnerability occurs when Actuator endpoints are enabled and accessible in production environments without adequate access controls.
Remediation
Restrict access to Actuator endpoints in production environments using the following approaches:
1. Disable unnecessary endpoints - Only enable endpoints required for production monitoring:
management.endpoints.web.exposure.include=health,info management.endpoints.web.exposure.exclude=*
2. Require authentication - Secure all Actuator endpoints with Spring Security:
management.endpoints.web.base-path=/actuator
management.server.port=8081
# In your Security Configuration:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests()
.anyRequest().hasRole("ACTUATOR_ADMIN")
.and()
.httpBasic();
}3. Use a separate management port - Isolate Actuator endpoints on a different port accessible only from trusted networks:
management.server.port=8081 management.server.address=127.0.0.1
4. Network-level restrictions - Configure firewalls or security groups to allow management port access only from monitoring systems and administrative networks.