Bug 2209342 (CVE-2023-20883)

Summary: CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, alampare, alazarot, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, cmoulliard, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drichtar, drosa, emingora, fjuma, fmariani, ggrzybek, gjospin, gmalinko, gtanzill, hbraun, ibek, ikanello, istudens, ivassile, iweiss, janstey, jbuscemi, jpavlik, jpoth, jrokos, jross, jscholz, kaycoth, kvanderr, kverlaen, lbacciot, lgao, lpetrovi, lthon, mizdebsk, mnovotny, mosmerov, mposolda, msochure, msvehla, nwallace, pbizzarr, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, pskopek, rguimara, rkieley, rowaters, rrajasek, rruss, rstancel, rstepani, saroy, sausingh, smaestri, ssilvert, sthorger, swoodman, tcunning, tom.jenkinson, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-boot 3.0.7, spring-boot 2.7.12, spring-boot 2.6.15, spring-boot 2.5.15 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-22 00:40:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2209388, 2209482, 2209483, 2209484, 2209485    
Bug Blocks: 2209327    

Description Patrick Del Bello 2023-05-23 14:49:18 UTC 
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
The application makes use of Spring Boot's welcome page support, either static or templated.
Your application is deployed behind a proxy which caches 404 responses.
Your application is NOT vulnerable if any of the following are true:

Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
The application does not use Spring Boot's welcome page support.
You do not have a proxy which caches 404 responses.
Affected Spring Products and Versions
Spring Boot

3.0.0 to 3.0.6 2.7.0 to 2.7.11 2.6.0 to 2.6.14 2.5.0 to 2.5.14

Older, unsupported versions are also affected

Mitigation
Users of affected versions should apply the following mitigations:

3.0.x users should upgrade to 3.0.7+
2.7.x users should upgrade to 2.7.12+
2.6.x users should upgrade to 2.6.15+
2.5.x users should upgrade to 2.5.15+
Users of older, unsupported versions should upgrade to 3.0.7+ or 2.7.12+.

Workarounds: configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.
Comment 3 Patrick Del Bello 2023-05-23 18:36:43 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2209388]
Comment 12 errata-xmlrpc 2023-06-15 15:24:17 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
Comment 13 errata-xmlrpc 2023-06-21 14:32:34 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1.P1

Via RHSA-2023:3740 https://access.redhat.com/errata/RHSA-2023:3740
Comment 14 Product Security DevOps Team 2023-06-22 00:40:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-20883
Comment 15 errata-xmlrpc 2023-06-29 20:08:41 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 16 errata-xmlrpc 2023-07-18 13:50:31 UTC 
This issue has been addressed in the following products:

  Red Hat build of OptaPlanner Text-Only advisories

Via RHSA-2023:4200 https://access.redhat.com/errata/RHSA-2023:4200
Comment 17 errata-xmlrpc 2023-09-05 18:37:22 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983