CVE-2022-22971

Denial of Service
Affects
Spring Framework
<5.2.22, >=5.3.0 <5.3.20
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

A Denial of Service (DoS) vulnerability (CVE-2022-22971) has been identified in the spring-messaging package in Spring Framework, which allows attackers to overwhelm servers with special crafted requests.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects multiple versions of spring-messaging from Spring Framework.

Details

Module Info

Vulnerability Info

A Spring application with a STOMP over WebSocket endpoint can be exploited by an authenticated user to perform a denial of service attack.

An authenticated user can exploit the system by continuously sending a stream of CONNECT messages. This forces the server to repeatedly reinitialize memory for the session and generate responses, potentially leading to resource exhaustion and making the system vulnerable to a denial of service attack.

Steps To Reproduce

Set up a server to handle STOMP WebSockets using the provided Spring example. Downgrade Spring Boot to a vulnerable version, such as 2.7.0. In the complete folder, add a test to GreetingIntegrationTests that sends multiple CONNECT messages.

@Test
public void multipleConnect(CapturedOutput output) throws ExecutionException, InterruptedException, IOException {
	WebSocketClient client = new StandardWebSocketClient();
	WebSocketHandler handler = new LoggingWebSocketHandlerDecorator(new TextWebSocketHandler() {
		@Override
		protected void handleTextMessage(WebSocketSession session, TextMessage message) throws Exception {
			System.out.println("Received message: " + message.getPayload());
		}
	});
	WebSocketSession session = client.doHandshake(handler, "ws://localhost:{port}/gs-guide-websocket", port).get();

	for (int i=0; i<100; i++) {
		// Send connect message to the server
		session.sendMessage(new TextMessage("CONNECT\naccept-version:1.2\n\n\u0000"));
	}
	Assertions.assertThat(output).contains("Ignoring CONNECT in session ").contains(". Already connected.");
}

This test should pass on patched versions by ignoring additional connect messages. In versions that are vulnerable, sessions will reinitialize every time.

Credits

  • David Delbecq and Rémy Vermeiren from HMS Industrial Networks, Business Unit Ewon, R&D Department - Software

Mitigation

Spring Framework 4.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
ID
CVE-2022-22971
PROJECT Affected
Spring Framework
Versions Affected
<5.2.22, >=5.3.0 <5.3.20
Published date
May 11, 2022
≈ Fix date
May 11, 2022
Severity
Medium
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.