A newly discovered vulnerability, CVE-2023-47633, has been identified in Traefik, an open-source HTTP reverse proxy and load balancer. This issue specifically affects the Traefik Docker container and results in high CPU usage (100%) when it serves as its own backend.
In this post, we'll provide an overview of the vulnerability, its impact, code snippets illustrating the issue, and references to original sources. We'll also explain how to update your Traefik version to protect yourself from this exploit.
This vulnerability is caused by an automatically generated route that results from the default Docker integration in the Traefik configuration. When Traefik serves as its own backend in this configuration, the container will consume 100% CPU usage, leading to potential denial of service (DoS) attacks and other performance issues.
This vulnerability affects Traefik versions prior to 2.10.6 and 3..-beta5.
Here's an example of a configuration that will lead to high CPU usage due to CVE-2023-47633
exposedbydefault = true
watch = true
This configuration has the Docker provider watching containers and exposing their services by default, causing an automatically generated route to be created for the backend container.
An attacker can exploit this vulnerability by triggering a specific HTTP request to the backend Traefik service, causing it to consume 100% CPU. This can lead to a denial of service for any applications using the affected Traefik service.
How to Protect Yourself
To protect yourself from this vulnerability, you should update your Traefik version to 2.10.6 or 3..-beta5 or later. There are no known workarounds for this issue.
You can upgrade Traefik by following the official documentation
- Traefik v2: https://doc.traefik.io/traefik/v2.5/getting-started/install-traefik/
- Traefik v3 (beta): https://doc.traefik.io/traefik/v3./getting-started/
Here are the original references related to this vulnerability
It's essential to stay up-to-date on vulnerability disclosures to keep your systems secure. This CVE-2023-47633 vulnerability, affecting Traefik Docker containers, can result in high CPU usage and potential denial of service attacks. By updating your Traefik version to 2.10.6 or 3..-beta5 or later, you can effectively mitigate this issue and keep your systems running smoothly.
Published on: 12/04/2023 21:15:34 UTC
Last modified on: 12/07/2023 20:51:18 UTC