CVE-2023-34061 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-34061?

CVE-2023-34061 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to trigger route pruning in Cloud Foundry's gorouter, causing denial of service by degrading service availability. It affects Cloud Foundry deployments using routing release versions v0.163.0 through v0.283.0.

📋 TL;DR

This vulnerability allows unauthenticated attackers to trigger route pruning in Cloud Foundry's gorouter, causing denial of service by degrading service availability. It affects Cloud Foundry deployments using routing release versions v0.163.0 through v0.283.0.

💻 Affected Systems

Products:

Cloud Foundry routing release (gorouter)

Versions: v0.163.0 to v0.283.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Cloud Foundry deployments using vulnerable routing releases regardless of underlying infrastructure.

📦 What is this software?

Cloud Foundry Deployment by Pivotal

View all CVEs affecting Cloud Foundry Deployment →

Cloud Foundry Routing Release by Pivotal

View all CVEs affecting Cloud Foundry Routing Release →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption where legitimate traffic cannot reach applications, effectively taking down the Cloud Foundry deployment.

🟠

Likely Case

Degraded performance and intermittent service outages as routes are pruned and need to be re-registered.

🟢

If Mitigated

Minimal impact if proper rate limiting and monitoring are in place to detect and block pruning attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and can be performed with simple HTTP requests to trigger route pruning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.284.0 and later

Vendor Advisory: https://www.cloudfoundry.org/blog/cve-2023-34061-gorouter-route-pruning/

Restart Required: Yes

Instructions:

1. Update Cloud Foundry routing release to v0.284.0 or later. 2. Deploy the updated routing release. 3. Restart gorouter instances. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Rate limiting

all

Implement rate limiting on gorouter endpoints to prevent excessive pruning requests

Network segmentation

all

Restrict access to gorouter management endpoints to trusted networks only

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach gorouter endpoints
Deploy additional monitoring and alerting for unusual route pruning activity

🔍 How to Verify

Check if Vulnerable:

Check the routing release version in your Cloud Foundry deployment. If between v0.163.0 and v0.283.0 inclusive, you are vulnerable.

Check Version:

cf curl /routing/v1/router_groups

Verify Fix Applied:

Confirm routing release version is v0.284.0 or later and monitor for abnormal route pruning events.

📡 Detection & Monitoring

Log Indicators:

Unusual frequency of route pruning events
Multiple pruning requests from single IP addresses
Error logs related to route registration failures

Network Indicators:

High volume of requests to gorouter pruning endpoints
Requests to /routes/prune endpoint from untrusted sources

SIEM Query:

source="gorouter" AND ("prune" OR "route registration failed")

📊 Metadata

CVE ID: CVE-2023-34061

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 12, 2024

Last Updated: June 3, 2025

🔗 References

https://www.cloudfoundry.org/blog/cve-2023-34061-gorouter-route-pruning/ Vendor Advisory
https://www.cloudfoundry.org/blog/cve-2023-34061-gorouter-route-pruning/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34061, you might also want to check these: