CVE-2023-34055: Spring Boot server Web Observations DoS Vulnerability

MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34055

Description

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses Spring MVC or Spring WebFlux
  • org.springframework.boot:spring-boot-actuator is on the classpath

Affected Spring Products and Versions

Spring Boot

  • 2.7.0 to 2.7.17
  • 3.0.0 to 3.0.12
  • 3.1.0 to 3.1.5

And older unsupported versions.

Spring Boot 3.x versions are also affected by CVE-2023-34053, which is a similar issue in Spring Framework. Spring Boot 3.0.13 and 3.1.6 releases upgrade Spring Framework to the relevant version.

Mitigation

Users of affected versions should apply the following mitigation.

  • pre-2.7.x users should upgrade to 2.7.18.
  • Spring Boot 2.7.x users should upgrade to 2.7.18.
  • Spring Boot 3.0.x users should upgrade to 3.0.13.
  • Spring Boot 3.1.x users should upgrade to 3.1.6.

No other steps are necessary.

As a temporary workaround, Spring Boot users can choose to disable web metrics with the following property: management.metrics.enable.http.server.requests=false

Credit

The issue was identified and responsibly reported by James Yuzawa.

References

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all