=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2023/VULN485

_____________________________________________________________________

DATE                : 27/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Framework versions prior
                                     to 6.0.14.

=====================================================================
https://spring.io/security/cve-2023-34053/
_____________________________________________________________________

CVE-2023-34053: Spring Framework server Web Observations DoS
Vulnerability

MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34053


Description

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a
user to provide specially crafted HTTP requests that may cause a
denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following
are true:

     the application uses Spring MVC or Spring WebFlux
     io.micrometer:micrometer-core is on the classpath
     an ObservationRegistry is configured in the application to record
observations

Typically, Spring Boot applications need the
org.springframework.boot:spring-boot-actuator dependency to meet all
conditions.


Affected Spring Products and Versions

Spring Framework

     6.0.0 to 6.0.13

Older versions are not affected.


Mitigation

Users of affected versions should apply the following mitigation.

     Spring Framework 6.0.x users should upgrade to 6.0.14.

No other steps are necessary.

As a temporary workaround, Spring Boot 3.0.x and 3.1.x users can
choose to disable web framework observations with the following
property: management.metrics.enable.http.server.requests=false


Credit

The issue was identified and responsibly reported by James Yuzawa.


References


https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================