CVE-2023-34055
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Boot is an opinionated framework built on top of the Spring Framework that lets developers create stand-alone, production-grade Spring applications with minimal configuration. Its Actuator module auto-configures a suite of operational endpoints and exposes runtime telemetry such as health, metrics, and tracing. By default, Actuator registers a Micrometer timer metric named http.server.requests that records a sample for every incoming HTTP request and tags each sample with the request's method, URI, status, exception, and outcome.
A medium-severity vulnerability (CVE-2023-34055) has been identified in that metrics pipeline. In affected versions, WebMvcTags.method(HttpServletRequest) and WebFluxTags.method(ServerWebExchange) populate the method tag directly from the raw request string returned by HttpServletRequest.getMethod() or ServerHttpRequest.getMethodValue(), without validating it against the known set of HTTP methods. Micrometer retains every distinct tag combination in memory, so an unauthenticated remote attacker who can send HTTP requests to any Actuator-enabled endpoint can issue requests with arbitrary method tokens (random strings, typos, malicious payloads) and force the server to register an unbounded number of Meter instances, exhausting heap memory and eventually denying service. Because the metrics filter is on the request path, even requests that do not match a handler are tagged and recorded.
Per OWASP: "The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others." Here the attacker abuses the asymmetry between a cheap request and the cost of allocating and retaining a new Meter tag combination.
The CVSS v3.1 base score for this vulnerability is 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L per the VMware CNA scoring. The attack is network-accessible, requires no authentication or user interaction, and its impact is confined to availability.
This issue affects Spring Boot versions 2.5.0 through 2.7.17, 3.0.0 through 3.0.12, and 3.1.0 through 3.1.5.
Details
Module Info
- Product: Spring Boot
- Affected packages: spring-boot-actuator
- Affected versions: >=2.5.0 <=2.7.17, >=3.0.0 <=3.0.12, >=3.1.0 <=3.1.5
- GitHub repository: https://github.com/spring-projects/spring-boot
- Published packages: https://central.sonatype.com/artifact/org.springframework.boot/spring-boot-actuator
- Package manager: Maven
- Fixed in:
- NES for Spring Boot 2.5.x
- Spring Boot 2.7.18, 3.0.13, 3.1.6 (OSS)
Vulnerability Info
The Actuator metrics auto-configuration registers WebMvcMetricsFilter (for Servlet-based Spring MVC applications) and MetricsWebFilter (for reactive Spring WebFlux applications). Both filters time every request and tag the resulting sample with values produced by the WebMvcTags and WebFluxTags utility classes respectively. The method tag is produced by:
public static Tag method(HttpServletRequest request) {
return (request != null) ? Tag.of("method", request.getMethod()) : METHOD_UNKNOWN;
}
public static Tag method(ServerWebExchange exchange) {
return Tag.of("method", exchange.getRequest().getMethodValue());
}
HttpServletRequest.getMethod() and ServerHttpRequest.getMethodValue() both return the raw method token from the request line. An HTTP server will accept any token that matches the method = token production in RFC 7230, which allows virtually any printable ASCII string. When this unbounded input is used directly as a metric tag, it produces a high cardinality dimension: Micrometer uses the (name, tags...) tuple as the lookup key in its Meter registry, so every unique method string creates a new Meter instance that is retained for the lifetime of the process. A few thousand requests with random method tokens are sufficient to inflate the registry and starve the heap.
The fix constrains the tag value to the closed set of org.springframework.http.HttpMethod enum names and collapses anything unrecognized into a single UNKNOWN tag. On the Servlet side the raw method string is routed through HttpMethod.resolve(...); on the reactive side the fix takes advantage of ServerHttpRequest.getMethod() already returning a strongly typed HttpMethod enum rather than a raw string:
public static Tag method(HttpServletRequest request) {
if (request != null) {
HttpMethod httpMethod = HttpMethod.resolve(request.getMethod());
if (httpMethod != null) {
return Tag.of("method", httpMethod.name());
}
}
return METHOD_UNKNOWN;
}
public static Tag method(ServerWebExchange exchange) {
HttpMethod httpMethod = exchange.getRequest().getMethod();
if (httpMethod != null) {
return Tag.of("method", httpMethod.name());
}
return METHOD_UNKNOWN;
}
With the fix in place the cardinality of the method tag is bounded by the size of the HttpMethod enum plus one (UNKNOWN), regardless of input.
Mitigation
Only recent versions of Spring Boot receive community support and updates. Older versions have no publicly available fixes for this vulnerability.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a currently supported version of Spring Boot.
- Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Boot.
As a configuration-only workaround for operators who cannot upgrade immediately, the http.server.requests meter can be disabled with the property management.metrics.enable.http.server.requests=false. This prevents registration of any HTTP request timer and therefore prevents cardinality growth, at the cost of losing all HTTP request metrics.
Credits
- James Yuzawa (finder)
- Brian Clozel from Broadcom (fix author)
