CVE-2023-6378: Logback "receiver" DOS vulnerability
First published: Wed Nov 29 2023(Updated: )
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Credit: vulnerability@ncsc.ch vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Qos Logback | >=1.2.0<1.2.13 | |
| Qos Logback | >=1.3.0<1.3.12 | |
| Qos Logback | >=1.4.0<1.4.12 | |
| maven/ch.qos.logback:logback-classic | <1.2.13 | 1.2.13 |
| maven/ch.qos.logback:logback-core | <1.2.13 | 1.2.13 |
| maven/ch.qos.logback:logback-core | >=1.3.0<1.3.12 | 1.3.12 |
| maven/ch.qos.logback:logback-classic | >=1.3.0<1.3.12 | 1.3.12 |
| maven/ch.qos.logback:logback-core | >=1.4.0<1.4.12 | 1.4.12 |
| maven/ch.qos.logback:logback-classic | >=1.4.0<1.4.12 | 1.4.12 |
| >=1.2.0<1.2.13 | ||
| >=1.3.0<1.3.12 | ||
| >=1.4.0<1.4.12 |
Remedy
Only environments where logback receiver component is deployed may be vulnerable. In case a logback receiver is deployed, restricting connections to trustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://logback.qos.ch/news.html#1.3.12
- https://nvd.nist.gov/vuln/detail/CVE-2023-6378
- https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb
- https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
- https://logback.qos.ch/manual/receivers.html
- https://github.com/qos-ch/logback/issues/745#issuecomment-1836227158
- https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3
- https://logback.qos.ch/news.html#1.2.13
- https://github.com/advisories/GHSA-vmq6-5m68-f53m (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252951
- https://access.redhat.com/errata/RHSA-2024:0793
- https://access.redhat.com/errata/RHSA-2024:2945
- https://access.redhat.com/errata/RHSA-2024:3354
- https://bugzilla.redhat.com/show_bug.cgi?id=2252230
- https://security.netapp.com/advisory/ntap-20241129-0012
- https://security.netapp.com/advisory/ntap-20241129-0012/
Frequently Asked Questions
What is CVE-2023-6378?
CVE-2023-6378 is a serialization vulnerability in the logback receiver component, allowing an attacker to mount a Denial-of-Service attack by sending poisoned data.
How severe is CVE-2023-6378?
CVE-2023-6378 has a severity level of 7.1, which is classified as high.
Which software versions are affected by CVE-2023-6378?
Logback versions 1.4.0 to 1.4.12 and versions 1.3.0 to 1.3.12 of logback-core and logback-classic are affected by CVE-2023-6378.
How can I fix CVE-2023-6378?
To fix CVE-2023-6378, upgrade to logback version 1.4.12 for logback-core and logback-classic.
Where can I find more information about CVE-2023-6378?
You can find more information about CVE-2023-6378 in the logback news, the NIST vulnerability database, and the logback GitHub commit.
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/remedy
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-6378
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vmq6-5m68-f53m
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/references
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- collector/github-advisory
- agent/tags
- agent/trending
- package-manager/maven
- vendor/qos
- canonical/qos logback
- version/qos logback/1.2.0
- version/qos logback/1.3.0
- version/qos logback/1.4.0