CVE-2023-34054: Denial-of-Service Vulnerability in Reactor Netty HTTP Server with Micrometer Integration

A recent vulnerability has been discovered in the Reactor Netty HTTP Server, having been assigned the identifier CVE-2023-34054. This vulnerability affects versions 1.1.x prior to 1.1.13 and versions 1..x prior to 1..39, potentially leading to a denial-of-service (DoS) condition. This issue specifically impacts applications that have Reactor Netty HTTP Server's built-in integration with Micrometer enabled. In this post, we will delve into the details of the vulnerability, the code snippet demonstrating the issue, and how to remediate the problem.

Vulnerability Details

The core of this vulnerability lies in the handling of HTTP requests, in which a user can craft a specially designed request that may trigger a DoS condition. This is particularly concerning as the vulnerability revolves around the built-in integration of Reactor Netty HTTP Server with Micrometer, a popular monitoring and metering library for JVM-based applications.

Micrometer integration can be enabled by default or enabled by the user, depending on the configuration. However, this vulnerability does not impact those applications that do not have the Micrometer integration enabled.

Here is a sample code snippet that illustrates the vulnerability

import io.micrometer.core.instrument.binder.netty.NettyServerMetrics;
import io.netty.channel.ChannelOption;
import reactor.netty.http.server.HttpServer;

public class ReactorNettyHttpServer {
    public static void main(String[] args) {
        HttpServer.create()
                .option(ChannelOption.AUTO_READ, false) // The vulnerability is triggered here
                .port(818)
                .metrics(true, registry -> NettyServerMetrics.bindTo(registry))
                .route(routes -> routes.get("/hello", (req, res) -> res.sendString("Hello World!")))
                .bindNow()
                .onClose()
                .block();
    }
}

In this code snippet, the ChannelOption.AUTO_READ flag is set to false, which causes the DoS vulnerability to be triggered when the HTTP request is crafted in such a manner.

To get more details regarding the vulnerability, you can refer to the following links

- Reactor Netty GitHub Repository: https://github.com/reactor/reactor-netty
- Micrometer Application Monitoring: https://micrometer.io/
- NVD - CVE-2023-34054: https://nvd.nist.gov/vuln/detail/CVE-2023-34054
- Reactor Netty Security Advisories: https://github.com/reactor/reactor-netty/security/advisories

Exploit details

As of now, no known exploits have been reported in the wild. However, the potential for exploitation still exists, considering the severity of the vulnerability.

Mitigation Steps

To mitigate the issue, it is recommended that users of Reactor Netty HTTP Server promptly update to the latest version, based on the following recommendations:

For Reactor Netty 1..x, update to version 1..39 or later

In conclusion, this vulnerability in Reactor Netty HTTP Server, CVE-2023-34054, highlights the need for continuous monitoring and updating when it comes to software and dependencies. Those who are utilizing the affected versions of Reactor Netty HTTP Server should update to the recommended versions immediately to secure their applications.

Timeline

Published on: 11/28/2023 09:15:07 UTC
Last modified on: 12/04/2023 19:59:30 UTC