VMware Spring Boot 2.7.0 - 2.7.17, 3.0.0 - 3.0.12, 3.1.0 - 3.1.5 DoS Vulnerability

2023-11-3000:00:00

plugins.openvas.org

vmware spring boot

dos vulnerability

http requests

spring mvc

spring webflux

spring boot actuator

cve-2023-34053

cve-2023-34055

vendorfix

update

web metrics

cpe

greenbone ag

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

VMware Spring Boot is prone to a denial of service (DoS)
vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:vmware:spring_boot";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.151329");
  script_version("2024-01-23T05:05:19+0000");
  script_tag(name:"last_modification", value:"2024-01-23 05:05:19 +0000 (Tue, 23 Jan 2024)");
  script_tag(name:"creation_date", value:"2023-11-30 03:23:13 +0000 (Thu, 30 Nov 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-06-08 14:40:00 +0000 (Thu, 08 Jun 2023)");

  script_cve_id("CVE-2023-34053", "CVE-2023-34055");

  # nb: See affected tag for specific constraints / requirements for being vulnerable.
  script_tag(name:"qod_type", value:"executable_version_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("VMware Spring Boot 2.7.0 - 2.7.17, 3.0.0 - 3.0.12, 3.1.0 - 3.1.5 DoS Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Denial of Service");
  script_dependencies("gb_vmware_spring_boot_consolidation.nasl");
  script_mandatory_keys("vmware/spring/boot/detected");

  script_tag(name:"summary", value:"VMware Spring Boot is prone to a denial of service (DoS)
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"It is possible for a user to provide specially crafted HTTP
  requests that may cause a denial of service (DoS) condition.

  Spring Boot 3.x versions are also affected by CVE-2023-34053, which is a similar issue in Spring
  Framework. Spring Boot 3.0.13 and 3.1.6 releases upgrade Spring Framework to the relevant
  version.");

  script_tag(name:"affected", value:"VMware Spring Boot prior to version 2.7.17, 3.0.0 through
  3.0.12 and 3.1.0 to 3.1.5.

  Specifically, an application is vulnerable if all of the conditions are true:

  - The application uses Spring MVC or Spring WebFlux

  - org.springframework.boot:spring-boot-actuator is on the classpath");

  script_tag(name:"solution", value:"Update to version 2.7.18, 3.0.13, 3.1.6 or later.

  As a temporary workaround, Spring Boot users can choose to disable web metrics with the following
  property: management.metrics.enable.http.server.requests=false");

  script_xref(name:"URL", value:"https://spring.io/security/cve-2023-34055");
  script_xref(name:"URL", value:"https://spring.io/blog/2023/11/23/spring-boot-3-1-6-available-now/");
  script_xref(name:"URL", value:"https://spring.io/blog/2023/11/23/spring-boot-3-0-13-available-now/");
  script_xref(name:"URL", value:"https://spring.io/blog/2023/11/23/spring-boot-2-7-18-available-now/");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit( 0 );

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "2.7.18")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "2.7.18", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "3.0.0", test_version_up: "3.0.13")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.0.13", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "3.1.0", test_version_up: "3.1.6")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.1.6", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);