CVE-2023-34054
Denial-of-Service vulnerability in reactor-netty-core (Maven)
What is CVE-2023-34054 About?
This vulnerability affects Reactor Netty HTTP Server, allowing a remote attacker to trigger a Denial-of-Service condition through specially crafted HTTP requests. The impact is a disruption of service for applications utilizing the server with Micrometer integration. Exploitation involves sending specific HTTP requests, and the difficulty is moderate, requiring knowledge of the server's configuration.
Affected Software
- io.projectreactor.netty:reactor-netty-core
- >1.0.0, <1.0.39
- >1.1.0, <1.1.13
Technical Details
The vulnerability in Reactor Netty HTTP Server (versions 1.1.x prior to 1.1.13 and 1.0.x prior to 1.0.39) occurs when the built-in Micrometer integration is enabled. An attacker can send specially crafted HTTP requests that, when processed by the server and its Micrometer integration, lead to a denial-of-service condition. The exact mechanism of how the crafted requests interact with Micrometer to cause a DoS is not detailed, but it's implied that they trigger an unhandled state or resource exhaustion specific to that integration, causing the server to become unavailable.
What is the Impact of CVE-2023-34054?
Successful exploitation may allow attackers to disrupt the availability of the server, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2023-34054?
Exploitation of this vulnerability involves sending specially crafted HTTP requests to the target server. The complexity is likely moderate, as it requires crafting specific request patterns that trigger the vulnerability within the Micrometer integration. No authentication is explicitly mentioned as required, implying that an unauthenticated attacker with network access to the HTTP server could potentially exploit it. There are no specific privilege requirements. The attack is remote, as it relies on sending HTTP requests over the network. A crucial condition is that the Reactor Netty HTTP Server must have its built-in Micrometer integration enabled. Risk factors increase if the server is publicly exposed and running vulnerable versions with Micrometer enabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34054?
About the Fix from Resolved Security
This patch ensures that when an inactive connection pool is disposed, its associated metrics are explicitly deregistered by invoking the appropriate de-registration logic, both for custom and built-in metrics systems. This fixes CVE-2023-34054 by preventing resource leaks and potential exposure of outdated metrics data that could be accessed by attackers after pool disposal, ensuring proper cleanup and enhancing security.
Available Upgrade Options
- io.projectreactor.netty:reactor-netty-core
- >1.0.0, <1.0.39 → Upgrade to 1.0.39
- io.projectreactor.netty:reactor-netty-core
- >1.1.0, <1.1.13 → Upgrade to 1.1.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://spring.io/security/cve-2023-34054
- https://github.com/reactor/reactor-netty/releases/tag/v1.0.39
- https://github.com/reactor/reactor-netty
- https://osv.dev/vulnerability/GHSA-q24v-hpg3-v3jp
- https://github.com/reactor/reactor-netty/releases/tag/v1.1.13
- https://github.com/reactor/reactor-netty/commit/37dc8a2ef6514cd7834e75e7f3faf0b9ea044c88
- https://github.com/reactor/reactor-netty/commit/4ddbb1b9b985bb72290110ebae468a54e7f19420
- https://github.com/reactor/reactor-netty/commit/ae82154e99e6f51f4816effd135f0c3a966d6ea3
- https://nvd.nist.gov/vuln/detail/CVE-2023-34054
- https://spring.io/security/cve-2023-34054
What are Similar Vulnerabilities to CVE-2023-34054?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-38183 , CVE-2020-5407 , CVE-2020-5410 , CVE-2018-12503
