CVE-2023-6378 – A serialization vulnerability in logback's rece... (How to Fix)

Q: How do I fix CVE-2023-6378?

1. Update logback dependency to version 1.4.12 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.

Q: What is the severity of CVE-2023-6378?

CVE-2023-6378 has a CVSS score of 7.1 (HIGH). A serialization vulnerability in logback's receiver component (versions 1.4.11 and earlier) allows attackers to send maliciously crafted data that causes denial-of-service conditions. This affects any application using logback's receiver functionality for remote logging. Systems with exposed logback receivers are vulnerable.

📋 TL;DR

A serialization vulnerability in logback's receiver component (versions 1.4.11 and earlier) allows attackers to send maliciously crafted data that causes denial-of-service conditions. This affects any application using logback's receiver functionality for remote logging. Systems with exposed logback receivers are vulnerable.

💻 Affected Systems

Products:

logback

Versions: logback versions <= 1.4.11

Operating Systems: All platforms running Java applications with logback

Default Config Vulnerable: ✅ No

Notes: Only affects systems using logback's receiver component for remote logging. Standard logging configurations are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion or crashes from malicious serialization payloads.

🟠

Likely Case

Service degradation or temporary unavailability from DoS attacks targeting the logging infrastructure.

🟢

If Mitigated

Minimal impact if receivers are not exposed or proper input validation is implemented.

🌐 Internet-Facing: HIGH if logback receivers are exposed to untrusted networks without proper controls.

🏢 Internal Only: MEDIUM as internal attackers could still exploit the vulnerability to disrupt services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious data to the logback receiver endpoint. No authentication needed if endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: logback 1.4.12 or later

Vendor Advisory: https://logback.qos.ch/news.html#1.3.12

Restart Required: Yes

Instructions:

1. Update logback dependency to version 1.4.12 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Disable logback receiver

all

Disable or restrict access to logback receiver component if not required

Configure logback.xml to disable receiver: <receiver class="ch.qos.logback.classic.net.server.ServerSocketReceiver"> <disabled>true</disabled> </receiver>

Network isolation

linux

Restrict network access to logback receiver ports

iptables -A INPUT -p tcp --dport [logback-port] -j DROP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="[logback-port]" drop'

🧯 If You Can't Patch

Implement network segmentation to isolate logback receivers from untrusted networks
Deploy WAF or reverse proxy with input validation rules to filter malicious payloads

🔍 How to Verify

Check if Vulnerable:

Check logback version in dependencies: grep -r "logback.*1\.4\.1[0-1]" pom.xml build.gradle

Check Version:

grep -o "logback.*[0-9]\.[0-9]\.[0-9]\+" pom.xml build.gradle gradle.properties

Verify Fix Applied:

Verify logback version is 1.4.12 or later: java -cp "logback-classic-*.jar" ch.qos.logback.classic.Logger | grep version

📡 Detection & Monitoring

Log Indicators:

Unusual serialization errors in logback logs
High volume of malformed logging requests
Stack traces containing java.io.InvalidClassException

Network Indicators:

Unusual traffic to logback receiver ports (default 4560)
Large serialized objects sent to logging endpoints

SIEM Query:

source="*logback*" AND ("InvalidClassException" OR "serialization" OR "receiver")

📊 Metadata

CVE ID: CVE-2023-6378

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-502

Published: November 29, 2023

Last Updated: November 29, 2024

🔗 References

https://logback.qos.ch/news.html#1.3.12 Release Notes
https://logback.qos.ch/news.html#1.3.12 Release Notes
https://security.netapp.com/advisory/ntap-20241129-0012/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6378, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Logback by Qos

Logback by Qos

Logback by Qos

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable logback receiver

Network isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities