Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-20883

Denial of Service
Affects
Spring Boot
>=1.5.0 <=1.5.22, >=2.5.0 <2.5.15, >=2.6.0 <2.6.15, >=2.7.0 <2.7.12 >=3.0.0 <3.0.7
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Boot helps developers to create Spring-based applications with minimal configuration. Production-grade features are provided out-of-the box. Common Spring features can be enabled by adding “starter” modules to a project, with sensible defaults that can easily be overridden.

A Denial of Service (DoS) vulnerability (CVE-2023-20883) has been identified in Sprin Boot, which could a DoS attack when using Spring MVC with a reverse proxy cache.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects multiple versions of Spring Boot.

Details

Module Info

Vulnerability Info

Key conditions for vulnerability:

  1. Spring MVC auto-configuration is enabled (default when Spring MVC is on the classpath).
  2. The application uses Spring Boot's welcome page support (either static or templated).
  3. The application is deployed behind a proxy that caches 404 responses.

Not vulnerable if:

  • Spring MVC auto-configuration is disabled.
  • The application does not use Spring Boot's welcome page support.
  • There is no proxy caching 404 responses.

If the conditions above are met, the reverse proxy may unnecessarily cache 404 (Not Found) responses. Normally, 404 responses are temporary and should not be cached for extended periods. However, in this scenario, the proxy mistakenly stores these responses in its cache.

Over time, as more 404 responses are cached, the proxy’s memory becomes consumed, potentially leading to resource exhaustion. This can degrade the system’s performance and ultimately result in a Denial-of-Service (DoS), where legitimate users are unable to access the application due to insufficient memory or processing capacity on the proxy.

Steps to Reproduce

  1. Set Up a Spring Boot Application:some text
    1. Create a new Spring Boot application using one of the affected versions (e.g., 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, or 2.5.0 - 2.5.14).
    2. Ensure Spring MVC auto-configuration is enabled (default if Spring MVC is on the classpath).
    3. Enable Spring Boot's welcome page support by placing a static index.html or a template in the src/main/resources/static/ or src/main/resources/templates/ directory.
  2. Deploy the Application Behind a Reverse Proxy:some text
    1. Set up a reverse proxy (e.g., NGINX, Apache, or HAProxy) in front of the Spring Boot application.
    2. Configure the proxy to cache 404 responses and enable caching for requests to the root path (/).
  3. Trigger 404 Responses:some text
    1. Send multiple requests to non-existent endpoints of the application (e.g., http://your-app/nonexistent).
    2. Observe that the reverse proxy caches the 404 responses instead of 406.
  4. Monitor Proxy Behavior:some text
    1. Continue sending requests to various non-existent endpoints or the root (/) if no welcome page exists.
    2. Observe the proxy's memory usage increasing as it caches more 404 responses.
  5. Result:some text
    1. Eventually, the proxy may experience memory exhaustion, leading to performance degradation or a Denial-of-Service (DoS), making the application inaccessible to legitimate users.

Credits

  • Martin van Kervel Smedshammer

Mitigation

Spring Boot 1.5 and 2.2 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Boot.
  • Configure the reverse proxy to avoid caching 404 responses and/or to exclude caching responses for requests made to the root path (/**).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2021-22112
CVE-2022-22978
CVE-2022-22976
CVE-2022-27772
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-20883
PROJECT Affected
Spring Boot
Versions Affected
>=1.5.0 <=1.5.22, >=2.5.0 <2.5.15, >=2.6.0 <2.6.15, >=2.7.0 <2.7.12 >=3.0.0 <3.0.7
Published date
May 19, 2023
≈ Fix date
May 19, 2024
Fixed in
NES for Spring
Severity
High
Category
Denial of Service