=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2023/VULN486

_____________________________________________________________________

DATE                : 27/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Boot versions prior to
                                  3.0.13, 3.1.6.

=====================================================================

https://spring.io/security/cve-2023-34055/
_____________________________________________________________________

CVE-2023-34055: Spring Boot server Web Observations DoS Vulnerability
MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34055

Description

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5,
it is possible for a user to provide specially crafted HTTP requests
that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following
are true:

     the application uses Spring MVC or Spring WebFlux
     org.springframework.boot:spring-boot-actuator is on the classpath


Affected Spring Products and Versions

Spring Boot

     2.7.0 to 2.7.17
     3.0.0 to 3.0.12
     3.1.0 to 3.1.5

And older unsupported versions.


Spring Boot 3.x versions are also affected by CVE-2023-34053, which
is a similar issue in Spring Framework. Spring Boot 3.0.13 and
3.1.6 releases upgrade Spring Framework to the relevant version.


Mitigation

Users of affected versions should apply the following mitigation.

     pre-2.7.x users should upgrade to 2.7.18.
     Spring Boot 2.7.x users should upgrade to 2.7.18.
     Spring Boot 3.0.x users should upgrade to 3.0.13.
     Spring Boot 3.1.x users should upgrade to 3.1.6.

No other steps are necessary.

As a temporary workaround, Spring Boot users can choose to disable
web metrics with the following property:
management.metrics.enable.http.server.requests=false


Credit

The issue was identified and responsibly reported by James Yuzawa.


References


https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================