===================================================================== CERT-Renater Note d'Information No. 2023/VULN487 _____________________________________________________________________ DATE : 27/11/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Reactor Netty versions prior to 1.1.13, 1.0.39. ===================================================================== https://spring.io/security/cve-2023-34054/ _____________________________________________________________________ CVE-2023-34054: Reactor Netty HTTP Server Metrics DoS Vulnerability MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34054 Description In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled. Affected Spring Products and Versions Reactor Netty 1.1.0 to 1.1.12 1.0.0 to 1.0.38 And older unsupported versions Mitigation Users of affected versions should apply the following mitigation. 1.1.x users should upgrade to 1.1.13. 1.0.x users should upgrade to 1.0.39. No other steps are necessary. Releases that have fixed this issue include: Reactor Netty 1.1.13 1.0.39 As a temporary workaround, Reactor Netty 1.1.x and 1.0.x users can choose to disable Reactor Netty HTTP Server built-in integration with Micrometer. Credit The issue was identified and responsibly reported by James Yuzawa (https://github.com/yuzawa-san). References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================