Description

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Affected Spring Products and Versions

• Reactor Netty
  • 1.1.0 to 1.1.12
  • 1.0.0 to 1.0.38
  • And older unsupported versions

Mitigation

Users of affected versions should apply the following mitigation. 1.1.x users should upgrade to 1.1.13. 1.0.x users should upgrade to 1.0.39. No other steps are necessary.

Releases that have fixed this issue include:

• Reactor Netty
  • 1.1.13
  • 1.0.39

As a temporary workaround, Reactor Netty 1.1.x and 1.0.x users can choose to disable Reactor Netty HTTP Server built-in integration with Micrometer.

Credit

The issue was identified and responsibly reported by James Yuzawa (https://github.com/yuzawa-san).

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1