Uploaded image for project: 'Red Hat build of OptaPlanner'
  1. Red Hat build of OptaPlanner
  2. RHBOP-53

CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability [rhbop-8]

XMLWordPrintable

    • False
    • None
    • False

      Security Tracking Issue

      Do not make this issue public.

      Impact: Important
      Reported Date: 23-May-2023
      Resolve Bug By: 13-Jun-2023

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability
      https://bugzilla.redhat.com/show_bug.cgi?id=2209342

      In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

      Specifically, an application is vulnerable if all of the conditions are true:

      The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
      The application makes use of Spring Boot's welcome page support, either static or templated.
      Your application is deployed behind a proxy which caches 404 responses.
      Your application is NOT vulnerable if any of the following are true:

      Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
      The application does not use Spring Boot's welcome page support.

      PR https://github.com/kiegroup/optaplanner-quickstarts/pull/571
      You do not have a proxy which caches 404 responses.
      Affected Spring Products and Versions
      Spring Boot

      3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14

      Older, unsupported versions are also affected

      Mitigation
      Users of affected versions should apply the following mitigations:

      3.0.x users should upgrade to 3.0.7+
      2.7.x users should upgrade to 2.7.12+
      2.6.x users should upgrade to 2.6.15+
      2.5.x users should upgrade to 2.5.15+
      Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.

      Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root of the application.

            cchianel Christopher Chianelli
            rhn-support-pdelbell Patrick Del Bello
            Andrea Lamparelli, Anna Dupliak, Chess Hazlett, Enrique Mingorance Cano, Lukáš Petrovický (Inactive), Marek Novotny, Paramvir Jindal, Radovan Synek, Rajesh Rajasekaran, Roberto Oliveira, Sandipan Roy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: