CVE-2023-6378 - OpenCVE

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Qos	Logback

Configuration 1 [-]

OR	cpe:2.3:a:qos:logback::::::::
	cpe:2.3:a:qos:logback::::::::
	cpe:2.3:a:qos:logback::::::::

References

Link	Resource
https://logback.qos.ch/news.html#1.3.12	Release Notes

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2023-11-29T12:02:37.496Z

Updated: 2023-12-05T08:57:52.168Z

Reserved: 2023-11-29T10:18:07.523Z

Link: CVE-2023-6378

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-29T12:15:07.543

Modified: 2023-12-05T21:00:10.557

Link: CVE-2023-6378

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6378", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2023-11-29T10:18:07.523Z", "datePublished": "2023-11-29T12:02:37.496Z", "dateUpdated": "2023-12-05T08:57:52.168Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["logback receiver"], "platforms": ["Windows", "Linux", "MacOS"], "product": "logback", "repo": "https://github.com/qos-ch/logback", "vendor": "QOS.CH Sarl", "versions": [{"status": "unaffected", "version": "1.4.12"}, {"status": "unaffected", "version": "1.3.12"}, {"status": "unaffected", "version": "1.2.13"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<pre>The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.</pre>\n\n<br>"}], "value": "The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\n\n\n\n\n"}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Yakov Shafranovich, Amazon Web Services"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"}], "value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Excessive CPU or memory usage on the host where a logback receiver component is deployed"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Denial-of-service using poisoned data", "lang": "en"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2023-12-05T08:57:52.168Z"}, "references": [{"url": "https://logback.qos.ch/news.html#1.3.12"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.<br>"}], "value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Logback \"receiver\" DOS vulnerability ", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Only environments where logback receiver is deployed are vulnerable. <br>"}], "value": "Only environments where logback receiver is deployed are vulnerable. \n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qos:logback:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A75DA21-E526-4DD5-A438-AF8420D862A2", "versionEndExcluding": "1.2.13", "versionStartIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qos:logback:*:*:*:*:*:*:*:*", "matchCriteriaId": "C85D3836-AB90-468C-8C38-528FF62C3595", "versionEndExcluding": "1.3.12", "versionStartIncluding": "1.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qos:logback:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF67A816-FE60-4301-AA46-EED6E5F5AC66", "versionEndExcluding": "1.4.12", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"}, {"lang": "es", "value": "Una vulnerabilidad de serializaci\u00f3n en el componente receptor de inicio de sesi\u00f3n de la versi\u00f3n 1.4.11 permite a un atacante montar un ataque de Denegaci\u00f3n de Servicio mediante el env\u00edo de datos envenenados."}], "id": "CVE-2023-6378", "lastModified": "2023-12-05T21:00:10.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.0, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2023-11-29T12:15:07.543", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Release Notes"], "url": "https://logback.qos.ch/news.html#1.3.12"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}