CVE-2023-6378: Serialization Vulnerability vulnerability in logback-classic (Maven)

What is CVE-2023-6378 About?

This is a serialization vulnerability present in the logback receiver component, allowing an attacker to initiate a Denial-of-Service (DoS) attack. By sending specially crafted poisoned data, the attacker can disrupt the service. Exploitation is relatively easy once the specific component is identified and accessible, leading to service unavailability.

Affected Software

ch.qos.logback:logback-classic
- >1.4.0, <1.4.12
- >1.3.0, <1.3.12
- <1.2.13
ch.qos.logback:logback-core
- >1.4.0, <1.4.12
- >1.3.0, <1.3.12
- <1.2.13

Technical Details

The vulnerability lies within the logback receiver component, typically used for receiving logging events over a network. An attacker can craft malicious serialized data that, when processed by the vulnerable receiver, triggers an unhandled condition or resource exhaustion. This 'poisoned data' causes the logback receiver to enter an error state or consume excessive resources, making it unavailable to legitimate logging operations and thus leading to a Denial-of-Service condition. This attack vector specifically targets the deserialization process of incoming data within the logback receiver.

What is the Impact of CVE-2023-6378?

Successful exploitation may allow attackers to cause a Denial-of-Service condition, leading to service disruption, impaired system performance, and unavailability of critical applications or services.

What is the Exploitability of CVE-2023-6378?

Exploitation of this deserialization vulnerability is considered of moderate complexity, requiring specific knowledge of the logback receiver component and how it handles serialized data. No authentication is generally required to send the malicious data to the receiver itself, but network access to the component is a prerequisite. This is a remote exploitation scenario. The key constraint is that the logback receiver component must be actively deployed and accessible. Risk factors increase if the logback receiver is exposed to untrusted networks or if input validation on deserialized data is insufficient.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2023-6378?

A Fix by Resolved Security Exists!

Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch fixes CVE-2023-6378 by adding strict limits to the deserialization process in Logback’s LoggingEventVO and HardenedObjectInputStream, capping argument array lengths and setting object input filter constraints on array size and object graph depth. This prevents attackers from sending crafted, deeply-nested, or oversized serialized objects that could otherwise cause denial-of-service via resource exhaustion. By validating input lengths and leveraging built-in Java object filtering, the patch eliminates the vector for unbounded memory allocation or stack overflows.

Available Upgrade Options

ch.qos.logback:logback-core
- <1.2.13 → Upgrade to 1.2.13
ch.qos.logback:logback-core
- >1.3.0, <1.3.12 → Upgrade to 1.3.12
ch.qos.logback:logback-core
- >1.4.0, <1.4.12 → Upgrade to 1.4.12
ch.qos.logback:logback-classic
- <1.2.13 → Upgrade to 1.2.13
ch.qos.logback:logback-classic
- >1.3.0, <1.3.12 → Upgrade to 1.3.12
ch.qos.logback:logback-classic
- >1.4.0, <1.4.12 → Upgrade to 1.4.12

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-6378?

Similar Vulnerabilities: CVE-2021-44228 , CVE-2019-10172 , CVE-2017-4971 , CVE-2016-1000338 , CVE-2015-7581

CVE-2023-6378 Serialization Vulnerability vulnerability in logback-classic (Maven)