Spring Security Advisories

All advisories

CVE-2023-34054: Reactor Netty HTTP Server Metrics DoS Vulnerability

MEDIUM | NOVEMBER 27, 2023 | CVE-2023-34054

Description

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Affected Spring Products and Versions

  • Reactor Netty
    • 1.1.0 to 1.1.12
    • 1.0.0 to 1.0.38
    • And older unsupported versions

Mitigation

Users of affected versions should apply the following mitigation. 1.1.x users should upgrade to 1.1.13. 1.0.x users should upgrade to 1.0.39. No other steps are necessary.

Releases that have fixed this issue include:

  • Reactor Netty
    • 1.1.13
    • 1.0.39

As a temporary workaround, Reactor Netty 1.1.x and 1.0.x users can choose to disable Reactor Netty HTTP Server built-in integration with Micrometer.

Credit

The issue was identified and responsibly reported by James Yuzawa (https://github.com/yuzawa-san).

References

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all