CVE-2023-34054 Overview
CVE-2023-34054 is a Denial of Service (DoS) vulnerability affecting Reactor Netty HTTP Server. The vulnerability allows unauthenticated attackers to send specially crafted HTTP requests that can cause service disruption. Applications are specifically vulnerable when Reactor Netty HTTP Server's built-in integration with Micrometer metrics is enabled, creating conditions that can be exploited to exhaust server resources.
Critical Impact
Unauthenticated remote attackers can cause denial-of-service conditions in applications using Reactor Netty HTTP Server with Micrometer integration enabled, potentially leading to complete service unavailability.
Affected Products
- Pivotal Reactor Netty versions 1.1.x prior to 1.1.13
- Pivotal Reactor Netty versions 1.0.x prior to 1.0.39
- Applications with Micrometer integration enabled
Discovery Timeline
- 2023-11-28 - CVE-2023-34054 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34054
Vulnerability Analysis
This vulnerability exists in the Reactor Netty HTTP Server component, specifically when the built-in Micrometer metrics integration is active. Reactor Netty is a popular asynchronous event-driven network application framework used extensively in Spring WebFlux and other reactive Java applications.
The vulnerability allows attackers to craft malicious HTTP requests that exploit the metrics collection mechanism. When Micrometer integration processes these specially crafted requests, it can lead to resource exhaustion scenarios that render the server unable to handle legitimate traffic. This is particularly concerning in microservices architectures where Reactor Netty serves as the underlying HTTP server for reactive applications.
Root Cause
The root cause involves improper handling of HTTP request data when the Micrometer integration parses and records metrics. The vulnerability arises from insufficient input validation when processing certain HTTP request elements that are passed to the metrics subsystem. When specially crafted values are provided in HTTP requests, the metrics processing logic can be manipulated to consume excessive resources or enter states that prevent normal operation.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker sends carefully constructed HTTP requests to a vulnerable Reactor Netty HTTP Server instance. The server must have Micrometer metrics integration enabled for the attack to succeed. Upon receiving the malicious request, the metrics processing component mishandles the input, leading to denial-of-service conditions.
The attack exploits the way Micrometer captures and processes HTTP request metadata for observability purposes. By manipulating specific HTTP headers or request parameters that are captured for metrics, an attacker can trigger resource exhaustion or processing loops that degrade or halt service availability.
Detection Methods for CVE-2023-34054
Indicators of Compromise
- Unusual spikes in HTTP request volume from single or limited IP addresses
- Abnormal memory consumption patterns in Reactor Netty server processes
- Application logs showing excessive metric registration or processing activity
- Service degradation or unresponsiveness coinciding with specific HTTP traffic patterns
Detection Strategies
- Monitor for anomalous HTTP request patterns targeting endpoints served by Reactor Netty
- Implement application performance monitoring (APM) to detect unusual resource consumption in the Micrometer metrics subsystem
- Configure alerting on sudden increases in response times or error rates
- Deploy web application firewalls (WAF) with rules to detect malformed or suspicious HTTP headers
Monitoring Recommendations
- Enable detailed logging for Reactor Netty HTTP server connections and request processing
- Monitor JVM heap usage and garbage collection metrics for unusual patterns
- Track Micrometer metric registry size and growth rate for abnormal increases
- Implement network-level monitoring to identify potential DoS attack patterns
How to Mitigate CVE-2023-34054
Immediate Actions Required
- Upgrade Reactor Netty to version 1.1.13 or later for 1.1.x branch
- Upgrade Reactor Netty to version 1.0.39 or later for 1.0.x branch
- If immediate patching is not possible, consider temporarily disabling Micrometer integration
- Review and update Spring Boot dependencies if using Spring WebFlux, as it bundles Reactor Netty
Patch Information
Pivotal has released patched versions that address this vulnerability. For applications using the 1.1.x branch, upgrade to version 1.1.13 or later. For applications on the 1.0.x branch, upgrade to version 1.0.39 or later. Review the Spring Security Advisory for CVE-2023-34054 for detailed upgrade instructions and additional guidance.
Workarounds
- Disable Micrometer metrics integration if not critical to operations until patching is complete
- Implement rate limiting at the load balancer or reverse proxy level to mitigate DoS attempts
- Deploy WAF rules to filter suspicious HTTP requests before they reach the application
- Consider network segmentation to limit exposure of vulnerable services
# Example Maven dependency update for Reactor Netty 1.1.x
# In pom.xml, update the dependency version:
# <dependency>
# <groupId>io.projectreactor.netty</groupId>
# <artifactId>reactor-netty-http</artifactId>
# <version>1.1.13</version>
# </dependency>
# Verify current Reactor Netty version in your project
mvn dependency:tree | grep reactor-netty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
