CVE-2023-34050 Siemens CVE debrief

Who should care

Organizations running Siemens SINEC NMS with affected Spring AMQP versions, OT/ICS security teams managing RabbitMQ message brokers, and developers implementing Spring AMQP message converters without allowed list restrictions.

Technical summary

The vulnerability exists in Spring AMQP's message conversion components. When SimpleMessageConverter or SerializerMessageConverter processes messages without configured allowed list patterns, arbitrary Java classes can be deserialized from message payloads. This creates a deserialization attack surface when untrusted actors can publish messages to the RabbitMQ broker. The attack requires network access to the broker (AV:N), high attack complexity (AC:H), and high privileges (PR:H), with potential for high availability impact (A:H) and low integrity impact (I:L).

Defensive priority

medium

Recommended defensive actions

• Update Siemens SINEC NMS to version 3.0 or later per vendor guidance
• Configure allowed list patterns for deserializable class names in Spring AMQP if not using vendor fix
• Review RabbitMQ broker access controls to restrict untrusted message originators
• Audit applications using SimpleMessageConverter or SerializerMessageConverter for deserialization configurations
• Apply defense-in-depth controls for industrial control systems per CISA recommended practices

Evidence notes

CVE description confirms Spring AMQP versions 1.0.0-2.4.16 and 3.0.0-3.0.9 affected. CISA CSAF advisory ICSA-24-228-06 identifies Siemens SINEC NMS as impacted product. CVSS vector from source: AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C.

Official resources