CVE-2023-34040
Deserialization vulnerability in spring-kafka (Maven)
What is CVE-2023-34040 About?
This Deserialization vulnerability in Spring for Apache Kafka allows an attacker to construct a malicious serialized object in deserialization exception record headers. Successful exploitation could lead to arbitrary code execution or data manipulation. Exploitation is difficult as it requires a specific, unusual configuration to be present.
Affected Software
- org.springframework.kafka:spring-kafka
- >=2.8.1, <2.9.11
- >=3.0.0, <3.0.10
Technical Details
The vulnerability arises in Spring for Apache Kafka versions 3.0.9 and earlier, and 2.9.10 and earlier. An application becomes vulnerable when three specific conditions are met: (1) an ErrorHandlingDeserializer is not configured for the record's key and/or value, (2) the container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull are explicitly set to true, and (3) untrusted sources are allowed to publish to a Kafka topic. Under these conditions, an attacker can craft a malicious serialized object and embed it within the deserialization exception record headers. When the application attempts to process these headers, without the protection of an ErrorHandlingDeserializer, the malicious object can be deserialized, leading to potential arbitrary code execution or other malicious actions. By default, the vulnerable properties are false, and header deserialization only occurs if an ErrorHandlingDeserializer is configured, which inherently mitigates the attack by removing malicious headers.
What is the Impact of CVE-2023-34040?
Successful exploitation may allow attackers to execute arbitrary code, manipulate data, or cause denial-of-service, leading to compromise of system integrity, confidentiality, and availability.
What is the Exploitability of CVE-2023-34040?
Exploitation of this vulnerability is considered difficult due to several prerequisites. The attacker requires remote network access to publish to a Kafka topic. Crucially, the target Spring for Apache Kafka application must have an unusual, non-default configuration: specifically, the ErrorHandlingDeserializer must not be configured for keys/values, and the checkDeserExWhenKeyNull/checkDeserExWhenValueNull container properties must be explicitly set to true. There are no direct authentication or privilege requirements to trigger the deserialization attempt, assuming anonymous access to publish to the Kafka topic is permitted. The attacker needs to craft a sophisticated serialized object tailored to the target's environment. The low likelihood of this specific configuration being present significantly reduces the practical exploitability risk, despite the potential severe impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Contrast-Security-OSS | Link | POC for Spring Kafka Deserialization Vulnerability CVE-2023-34040 |
| pyn3rd | Link | Spring-Kafka-Deserialization-Remote-Code-Execution |
| buiduchoang24 | Link | In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would... |
What are the Available Fixes for CVE-2023-34040?
Available Upgrade Options
- org.springframework.kafka:spring-kafka
- >=2.8.1, <2.9.11 → Upgrade to 2.9.11
- org.springframework.kafka:spring-kafka
- >=3.0.0, <3.0.10 → Upgrade to 3.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-projects/spring-kafka/commit/eb779679812f61a8553ced3d0e4069dca65560ed
- https://osv.dev/vulnerability/GHSA-crqf-q9fp-hwjw
- https://github.com/spring-projects/spring-kafka/commit/25ac793a78725e2ca4a3a2888a1506a4bfcf0c9d
- https://nvd.nist.gov/vuln/detail/CVE-2023-34040
- https://spring.io/security/cve-2023-34040
- https://spring.io/security/cve-2023-34040
- https://github.com/spring-projects/spring-kafka
What are Similar Vulnerabilities to CVE-2023-34040?
Similar Vulnerabilities: CVE-2015-4852 , CVE-2017-3241 , CVE-2017-1000487 , CVE-2022-21443 , CVE-2021-44228
