Rewterz Threat Advisory – Multiple VMware Tanzu Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-34053 CVSS:5.3

VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw when the application uses Spring MVC or Spring WebFlux, io.micrometer:micrometer-core is on the classpath, or an ObservationRegistry is configured. By sending specially crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2023-34054 CVSS:5.3

VMware Tanzu Reactor Netty is vulnerable to a denial of service, caused by a flaw when built-in integration with Micrometer is enabled. By sending specially crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2023-34055 CVSS:5.3

VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when application uses Spring MVC or Spring WebFlux or org.springframework.boot:spring-boot-actuator is on the classpath. By sending specially crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.

Impact

• Denial of Service

Indicators Of Compromise

CVE

• CVE-2023-34053
• CVE-2023-34054
• CVE-2023-34055

Affected Vendors

VMware

Affected Products

• VMware Tanzu Spring Framework 6.0.0
• VMware Tanzu Spring Boot 2.7.0
• VMware Tanzu Spring Boot 3.0.0
• VMware Tanzu Spring Framework 6.0.13
• VMware Tanzu Reactor Netty 1.0.0
• VMware Tanzu Reactor Netty 1.0.38
• VMware Tanzu Reactor Netty 1.1.0
• VMware Tanzu Reactor Netty 1.1.12
• VMware Tanzu Spring Boot 2.7.17
• VMware Tanzu Spring Boot 3.0.12
• VMware Tanzu Spring Boot 3.1.0
• VMware Tanzu Spring Boot 3.1.5

Remediation

Refer to VMware Tanzu Web site for patch, upgrade or workaround information.

CVE-2023-34053

CVE-2023-34054

CVE-2023-34055