CVE-2023-23969
📋 TL;DR
This vulnerability in Django allows attackers to cause denial-of-service by sending HTTP requests with extremely large Accept-Language headers, which Django caches in memory. This affects Django applications running vulnerable versions that accept HTTP requests with Accept-Language headers. The vulnerability can lead to excessive memory consumption and potential service disruption.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, requiring server restart and potentially causing extended downtime.
Likely Case
Degraded performance and intermittent service disruptions as memory consumption increases with repeated malicious requests.
If Mitigated
Minimal impact with proper request filtering and memory monitoring in place.
🎯 Exploit Status
Exploitation requires sending HTTP requests with large Accept-Language headers, which is trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 3.2.17, 4.0.9, or 4.1.6
Vendor Advisory: https://docs.djangoproject.com/en/4.1/releases/security/
Restart Required: Yes
Instructions:
1. Upgrade Django to version 3.2.17, 4.0.9, or 4.1.6 or higher. 2. Update requirements.txt or pip install: 'pip install Django==4.1.6' (or appropriate version). 3. Restart the Django application server.
🔧 Temporary Workarounds
Web Server Request Filtering
allConfigure web server (nginx, Apache) to reject or limit Accept-Language header size
nginx: add 'large_client_header_buffers 4 8k;' to http/server block
Apache: use mod_headers to limit Accept-Language size
Django Middleware Filtering
allImplement custom middleware to validate Accept-Language header size
Create middleware class with process_request method that checks request.META.get('HTTP_ACCEPT_LANGUAGE') length
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests with large Accept-Language headers
- Monitor memory usage and set up alerts for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Django version: 'python -m django --version' or inspect requirements.txtCheck Version:
python -m django --versionVerify Fix Applied:
Confirm Django version is 3.2.17+, 4.0.9+, or 4.1.6+ after upgrade📡 Detection & Monitoring
Log Indicators:
- Multiple requests with unusually large Accept-Language headers
- Memory usage spikes in Django process logs
Network Indicators:
- HTTP requests with Accept-Language headers exceeding normal size (typically > 1KB)
SIEM Query:
source="web_logs" AND http_user_agent="*" AND http_accept_language="*" | stats count by src_ip | where count > threshold🔗 References
- https://docs.djangoproject.com/en/4.1/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://security.netapp.com/advisory/ntap-20230302-0007/
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
- https://docs.djangoproject.com/en/4.1/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
- https://security.netapp.com/advisory/ntap-20230302-0007/
- https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
