CVE-2023-34050 is a deserialization vulnerability in the Spring AMQP project, the vulnerability allows an attacker to inject malicious code into a Spring AMQP application by sending a specially crafted message. The malicious code can then be executed on the application server, potentially giving the attacker control over the server.
The root cause resides on the deserialization of data in messages sourced from untrustworthy senders. Though Spring AMQP integrated allowed list patterns for class names eligible for deserialization back in 2016, it had a gaping loophole. In instances where no allowed list was specified, the system would, by default, allow the deserialization of all classes.
The vulnerability can be exploited if it meets the below criteria:
- the SimpleMessageConverter or SerializerMessageConverter is used.
- the user does not configure allowed list patterns.
- untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content.
Spring AMQP versions from 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 are vulnerable to CVE-2023-34050.
Mitigation measures
- Don’t grant untrusted entities access to your RabbitMQ server.
- Those using versions before 2.4.17 should immediately transition to 2.4.17. Similarly, if your system runs on versions between 3.0.0 to 3.0.9, consider upgrading to 3.0.10. Spring Boot’s dependency management will automatically source these rectified versions, starting with Boot versions 2.7.17, 3.0.12, 3.1.5, and 3.2.0.
- Allowed class name patterns to have now become a requirement.
