CVE-2023-6378 is a high-severity vulnerability affecting the log back receiver component in log back version 1.4.11 and earlier versions. This vulnerability allows attackers to launch Denial-of-Service attacks by sending poisoned data. It impacts a range of systems using log back, including those running on Java EE and Jakarta EE. To protect against this vulnerability, it's essential to update the log back to a version with the necessary fixes.

How do I know if I'm affected?

To determine if you're affected by this vulnerability, check if you're using logback with the logback-receiver component enabled and reachable by an attacker. The affected versions include log back 1.2.0 to 1.2.13, 1.3.0 to 1.3.12, and 1.4.0 to 1.4.12.

What should I do if I'm affected?

If you're affected by this vulnerability have to upgrade to log back versions 1.3.14 or 1.4.14 for more complete fixes. Run the fixes under Java 9 or later. Then ensure the logback-receiver component is not enabled or reachable by potential attackers if you can't upgrade immediately.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-6378 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-502, which involves the deserialization of untrusted data. It affects the log back receiver component, allowing attackers to launch Denial-of-Service attacks.

For more details

CVE-2023-6378 is a high-severity vulnerability affecting logback's receiver component, with the potential for Denial-of-Service attacks. Upgrading to log back versions 1.3.14 or 1.4.14 and running under Java 9 or later provides more complete protection. For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and affected software configurations, visit the NVD page or the links below.

• NVD - CVE-2023-6378

• Logback News