CVE-2023-34062 Overview
A directory traversal vulnerability exists in Reactor Netty HTTP Server that allows a malicious user to send a request using a specially crafted URL to access files outside the intended directory structure. This vulnerability specifically affects applications where Reactor Netty HTTP Server is configured to serve static resources.
Critical Impact
Attackers can exploit this vulnerability to read arbitrary files from the server's file system, potentially exposing sensitive configuration files, credentials, source code, or other confidential data.
Affected Products
- Pivotal Reactor Netty versions 1.1.x prior to 1.1.13
- Pivotal Reactor Netty versions 1.0.x prior to 1.0.39
Discovery Timeline
- 2023-11-15 - CVE-2023-34062 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34062
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) occurs in the static resource serving functionality of Reactor Netty HTTP Server. When an application is configured to serve static files, insufficient validation of user-supplied URL paths allows attackers to escape the designated resource directory and access arbitrary files on the server's file system.
The vulnerability is exploitable remotely without authentication. An attacker can craft malicious HTTP requests containing path traversal sequences to navigate outside the web root directory. This can lead to unauthorized access to sensitive files such as configuration files, application source code, database credentials, or system files.
Root Cause
The root cause of this vulnerability lies in improper input validation of URL paths in the static resource handling logic. The application fails to properly sanitize and normalize file path inputs before resolving them against the file system, allowing path traversal sequences like ../ to escape the intended static resource directory.
Attack Vector
The attack is conducted over the network by sending HTTP requests with specially crafted URLs to a vulnerable Reactor Netty HTTP Server instance. The attacker does not require any privileges or user interaction to exploit this vulnerability.
When a malicious request containing directory traversal sequences is received, the server processes the path without adequate validation, allowing the attacker to specify file paths that resolve outside the configured static resources directory. This enables reading of arbitrary files accessible to the server process.
For example, an attacker could craft a URL with encoded path traversal sequences (such as %2e%2e%2f for ../) to bypass basic path filtering and access files like /etc/passwd on Unix systems or configuration files containing sensitive credentials.
Detection Methods for CVE-2023-34062
Indicators of Compromise
- HTTP requests containing path traversal patterns such as ../, ..%2f, %2e%2e/, or URL-encoded variants
- Access logs showing requests for sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
- Unusual file access patterns from the Reactor Netty process to files outside the static resource directory
- HTTP 200 responses for requests that should not resolve to valid resources
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Configure intrusion detection systems (IDS) to alert on directory traversal signatures in network traffic
- Monitor application logs for requests containing encoded path traversal sequences
- Deploy SentinelOne Singularity to detect anomalous file access patterns from web server processes
Monitoring Recommendations
- Enable detailed access logging on Reactor Netty HTTP Server instances
- Monitor for file read operations outside designated static resource directories
- Set up alerts for high volumes of 403/404 errors that may indicate scanning activity
- Review and audit static resource configurations regularly
How to Mitigate CVE-2023-34062
Immediate Actions Required
- Upgrade Reactor Netty to version 1.1.13 or later for 1.1.x branch users
- Upgrade Reactor Netty to version 1.0.39 or later for 1.0.x branch users
- Audit application configurations to identify instances serving static resources
- Review access logs for signs of exploitation attempts
Patch Information
VMware has released patched versions of Reactor Netty that address this vulnerability. Users should upgrade to version 1.1.13 or later for the 1.1.x branch, or version 1.0.39 or later for the 1.0.x branch. The security advisory is available at the Spring Security Advisory CVE-2023-34062.
Workarounds
- Disable static resource serving functionality if not required by the application
- Implement reverse proxy with path validation in front of the Reactor Netty server
- Apply web application firewall rules to block path traversal patterns
- Restrict file system permissions for the user account running the Reactor Netty process
# Example: Using a reverse proxy (nginx) with path validation
# Add to nginx configuration to block path traversal attempts
location / {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://reactor-netty-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
