CVE-2023-47633 – Traefik Docker Container High CPU Usage Vulnerability, Upgrade Now!

A newly discovered vulnerability, CVE-2023-47633, has been identified in Traefik, an open-source HTTP reverse proxy and load balancer. This issue specifically affects the Traefik Docker container and results in high CPU usage (100%) when it serves as its own backend.

In this post, we'll provide an overview of the vulnerability, its impact, code snippets illustrating the issue, and references to original sources. We'll also explain how to update your Traefik version to protect yourself from this exploit.

Vulnerability Details

This vulnerability is caused by an automatically generated route that results from the default Docker integration in the Traefik configuration. When Traefik serves as its own backend in this configuration, the container will consume 100% CPU usage, leading to potential denial of service (DoS) attacks and other performance issues.

Affected Versions

This vulnerability affects Traefik versions prior to 2.10.6 and 3..-beta5.

Here's an example of a configuration that will lead to high CPU usage due to CVE-2023-47633

[providers.docker]
  exposedbydefault = true
  watch = true

This configuration has the Docker provider watching containers and exposing their services by default, causing an automatically generated route to be created for the backend container.

Exploit Details

An attacker can exploit this vulnerability by triggering a specific HTTP request to the backend Traefik service, causing it to consume 100% CPU. This can lead to a denial of service for any applications using the affected Traefik service.

How to Protect Yourself

To protect yourself from this vulnerability, you should update your Traefik version to 2.10.6 or 3..-beta5 or later. There are no known workarounds for this issue.

You can upgrade Traefik by following the official documentation

- Traefik v2: https://doc.traefik.io/traefik/v2.5/getting-started/install-traefik/
- Traefik v3 (beta): https://doc.traefik.io/traefik/v3./getting-started/

- Traefik GitHub Repository
- Traefik Security Advisory for CVE-2023-47633

Conclusion

It's essential to stay up-to-date on vulnerability disclosures to keep your systems secure. This CVE-2023-47633 vulnerability, affecting Traefik Docker containers, can result in high CPU usage and potential denial of service attacks. By updating your Traefik version to 2.10.6 or 3..-beta5 or later, you can effectively mitigate this issue and keep your systems running smoothly.

Timeline

Published on: 12/04/2023 21:15:34 UTC
Last modified on: 12/07/2023 20:51:18 UTC