7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34040

GHSA ID

GHSA-crqf-q9fp-hwjw

EPSS Score

0.94568%

CWE

CWE-502

Published

8/24/2023

Updated

11/5/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34040

CVE-2023-34040: Spring-Kafka has Java Deserialization vulnerability When Improperly Configured

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.

Specifically, an application is vulnerable when all of the following are true:

The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record
The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.
The user allows untrusted sources to publish to a Kafka topic

By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34040

GHSA ID

GHSA-crqf-q9fp-hwjw

EPSS Score

0.94568%

CWE

CWE-502

Published

8/24/2023

Updated

11/5/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.kafka:spring-kafka	maven	>= 3.0.0, < 3.0.10	3.0.10
org.springframework.kafka:spring-kafka	maven	>= 2.8.1, < 2.9.11	2.9.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization of Kafka record headers. The deprecated ListenerUtils methods directly deserialized header contents without validating the header type, which could be exploited when: 1) ErrorHandlingDeserializer isn't used to sanitize headers, 2) checkDeserExWhen*Null flags are enabled, and 3) untrusted data is allowed. The patched version introduces DeserializationExceptionHeader type checks in SerializationUtils equivalents, which the original functions lacked.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sprin* *or *p**** K**k* *.*.* *n* **rli*r *n* v*rsions *.*.** *n* **rli*r, * possi*l* **s*ri*liz*tion *tt**k v**tor *xist**, *ut only i* unusu*l *on*i*ur*tion w*s *ppli**. *n *tt**k*r woul* **v* to *onstru*t * m*li*ious s*ri*liz** o*j**t in on* o*

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion o* K**k* r**or* *****rs. T** **pr***t** `List*n*rUtils` m*t*o*s *ir**tly **s*ri*liz** *****r *ont*nts wit*out `v*li**tin*` t** *****r typ*, w*i** *oul* ** *xploit** w**n: *) `*rror**n*lin***s*ri*liz

7.8

Basic Information

Concerned about an active attack path?

CVE-2023-34040: Spring-Kafka has Java Deserialization vulnerability When Improperly Configured

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI