Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Description: Denial-of-service using poisoned data
Metrics
Version
Base score
Base severity
Vector
3.1
7.1
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Version:3.1
Base score:7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
N/A
Excessive CPU or memory usage on the host where a logback receiver component is deployed
CAPEC ID: N/A
Description: Excessive CPU or memory usage on the host where a logback receiver component is deployed
Solutions
Only environments where logback receiver component is deployed may be vulnerable.
In case a logback receiver is deployed, restricting connections to
trustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability.
If you do not need to deploy logback-receiver, then please verify that you do not have any <receiver></receiver> entries in your configuration files.
Configurations
The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.
Only environments where logback receiver is deployed are vulnerable.
Workarounds
Logback versions 1.2.13 and later, 1.3.14
and later or 1.4.14
and later
provides fixes. However, please note that these fixes are only effective when deployed under Java 9 or later.