CVE-2023-6481
Serialization Vulnerability vulnerability in logback-core (Maven)
What is CVE-2023-6481 About?
This vulnerability is a Serialization Vulnerability in logback's receiver component, leading to a Denial-Of-Service (DoS) attack. By sending poisoned data, an attacker can overload or crash the application. This is generally easy to exploit with intentionally malformed serialized data.
Affected Software
- ch.qos.logback:logback-core
- >1.3.13, <1.3.14
- >1.2.12, <1.2.13
- >1.4.13, <1.4.14
Technical Details
The logback receiver component, in versions 1.4.13, 1.3.13, and 1.2.12, is vulnerable to a serialization flaw. An attacker can craft and send specially 'poisoned' serialized data to the logback receiver. When the vulnerable component attempts to deserialize this malicious data, it can trigger an exception, an infinite loop, or excessive resource consumption (e.g., CPU, memory). This improper handling of malformed serialized objects leads to a Denial-Of-Service condition, making the logging receiver and potentially the application it supports unresponsive.
What is the Impact of CVE-2023-6481?
Successful exploitation may allow attackers to cause a denial of service, rendering the logging component and potentially the entire application unavailable.
What is the Exploitability of CVE-2023-6481?
Exploitation is of moderate complexity, requiring knowledge of how to craft malicious serialized data specific to the logback receiver. No authentication is typically required if the receiver is publicly exposed, and no elevated privileges are needed. This is a remote vulnerability, as the attacker sends the poisoned data over the network to the receiver. The main condition is an exposed logback receiver that handles untrusted serialized input. The risk increases if the receiver is publicly accessible without proper input validation or rate limiting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-6481?
About the Fix from Resolved Security
This patch introduces bounds checks on array sizes during deserialization and implements a hardened object input stream that only allows deserialization of whitelisted classes, addressing the unsafe deserialization vulnerability in CVE-2023-6481. It prevents attacks such as denial-of-service or remote code execution by rejecting excessively large arrays or unauthorized classes, thus mitigating widely-exploitable deserialization risks.
Available Upgrade Options
- ch.qos.logback:logback-core
- >1.2.12, <1.2.13 → Upgrade to 1.2.13
- ch.qos.logback:logback-core
- >1.3.13, <1.3.14 → Upgrade to 1.3.14
- ch.qos.logback:logback-core
- >1.4.13, <1.4.14 → Upgrade to 1.4.14
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://logback.qos.ch/news.html#1.3.14
- https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f
- https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578
- https://osv.dev/vulnerability/GHSA-gm62-rw4g-vrc4
- https://nvd.nist.gov/vuln/detail/CVE-2023-6481
- https://logback.qos.ch/news.html#1.3.12
- https://github.com/qos-ch/logback
- https://logback.qos.ch/news.html#1.3.14
- https://logback.qos.ch/news.html#1.3.12
What are Similar Vulnerabilities to CVE-2023-6481?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2020-2564 , CVE-2017-3507 , CVE-2021-2139 , CVE-2016-0638
