CVE-2023-34050 is a deserialization vulnerability in the Spring AMQP project, which is a popular Java library for developing messaging solutions. The vulnerability allows an attacker to inject malicious code into a Spring AMQP application by sending a specially crafted message. The malicious code can then be executed on the application server, potentially giving the attacker control over the server.
The root cause of this concern is the deserialization of data in messages sourced from untrustworthy senders. Though Spring AMQP integrated allowed list patterns for class names eligible for deserialization back in 2016, it had a gaping loophole. In instances where no allowed list was specified, the system would, by default, allow the deserialization of all classes.
This means an application is open to exploitation if:
- the SimpleMessageConverter or SerializerMessageConverter is used
- the user does not configure allowed list patterns
- untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content
Spring AMQP versions from 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 are vulnerable to CVE-2023-34050.
If you suspect your system might be susceptible, consider the following mitigation measures:
- Restriction: Don’t grant untrusted entities access to your RabbitMQ server.
- Upgrades: Those using versions before 2.4.17 should immediately transition to 2.4.17. Similarly, if your system runs on versions between 3.0.0 to 3.0.9, consider upgrading to 3.0.10. Spring Boot’s dependency management will automatically source these rectified versions, starting with Boot versions 2.7.17, 3.0.12, 3.1.5, and 3.2.0.
- Mandatory Class Name Patterns: Allowed class name patterns have now become a requirement.
However, if for some reason you wish to revert to the all-trusting mode, you can adjust the global environment or system property. More details can be found in the Java Deserialization documentation section.
