CVE-2023-6481: Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
First published: Mon Dec 04 2023(Updated: )
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Credit: vulnerability@ncsc.ch vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Qos Logback | =1.2.12 | |
| Qos Logback | =1.3.13 | |
| Qos Logback | =1.4.13 | |
| maven/ch.qos.logback:logback-core | =1.2.12 | 1.2.13 |
| maven/ch.qos.logback:logback-core | =1.3.13 | 1.3.14 |
| maven/ch.qos.logback:logback-core | =1.4.13 | 1.4.14 |
| redhat/logback-classic | <1.2.13 | 1.2.13 |
| redhat/logback-classic | <1.3.14 | 1.3.14 |
| redhat/logback-classic | <1.4.14 | 1.4.14 |
Remedy
Only environments where logback receiver component is deployed may be vulnerable. In case a logback receiver is deployed, restricting connections to trustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability. If you do not need to deploy logback-receiver, then please verify that you do not have any <receiver></receiver> entries in your configuration files.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://logback.qos.ch/news.html#1.3.12
- https://logback.qos.ch/news.html#1.3.14
- https://nvd.nist.gov/vuln/detail/CVE-2023-6481
- https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578
- https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f
- https://github.com/advisories/GHSA-gm62-rw4g-vrc4 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252957
- https://access.redhat.com/errata/RHSA-2024:0793
- https://access.redhat.com/errata/RHSA-2024:0843
- https://access.redhat.com/errata/RHSA-2024:2945
- https://access.redhat.com/errata/RHSA-2024:3354
- https://bugzilla.redhat.com/show_bug.cgi?id=2252956
Frequently Asked Questions
What is CVE-2023-6481?
CVE-2023-6481 is a vulnerability in the logback receiver component of logback versions 1.4.13, 1.3.13, and 1.2.12.
What is the severity of CVE-2023-6481?
CVE-2023-6481 has a severity rating of 7.1 (high).
How does CVE-2023-6481 work?
CVE-2023-6481 is a serialization vulnerability that allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Which software versions are affected by CVE-2023-6481?
CVE-2023-6481 affects logback versions 1.4.13, 1.3.13, and 1.2.12.
How can I fix CVE-2023-6481?
To fix CVE-2023-6481, update logback to a version that includes the complete fix, such as version 1.4.14 or higher.
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-gm62-rw4g-vrc4
- alias/CVE-2023-6481
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/title
- agent/remedy
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/severity
- agent/softwarecombine
- agent/description
- agent/event
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- vendor/qos
- canonical/qos logback
- version/qos logback/1.2.12
- version/qos logback/1.3.13
- version/qos logback/1.4.13
- package-manager/maven
- package-manager/redhat