CVE-2023-20861

Denial of Service
Affects
Spring Framework
<5.2.23, >=5.3.0 <5.3.26, >=6.0.0 <6.0.7
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring is a Java framework typically used for enterprise and web applications, though it can be used for desktop applications, as well. It is composed of many modules and not all modules are used by every deployment.

This vulnerability (CVE-2023-20861) is in the spring-expression library, which is responsible for evaluating Spring Expression Language (SpEL) expressions. It allows for denial of service (DoS) via excessive recursion when processing expressions, particularly those using the repeat operator (*) to replicate a string many times, leading to an OutOfMemoryError.

The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case, the vulnerability allows susceptible SpEL expressions to use most system resources and deny other users access to the system.

This issue affects multiple versions of spring-expression from Spring Framework.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the spring-expression.jar module of the Spring Framework.

When user-supplied Spring Expression Language (SpEL) expressions with repetition are evaluated, system resources can be exhausted. Sending a specially crafted SpEL expression to the application where it would attempt to repeat a string a large number of times exhibits the flaw. For instance, an expression like 'A' * 2147483647 would try to create a string of 2,147,483,647 'A's. In environments where the string creation is not optimized or limited, this could lead to an OutOfMemoryError as the application tries to allocate memory for such an enormous string.

Consider the following mitigation options if upgrading to a corrected version of the library is not immediately available:

  • Restrict SpEL Permissions and Operators: Use SimpleEvaluationContext.forReadOnlyDataBinding() as it prevents use of the repetition operator (*) that enables this vulnerability. If you need more complex expression evaluation, use StandardEvaluationContext with custom PropertyAccessor and MethodResolver implementations to whitelist only required functionality. Note that StandardEvaluationContext alone will not prevent the repetition operator vulnerability.
  • Sanitize Input: For applications that need to process some dynamic expressions, adding pre-validation steps to sanitize input can prevent malicious or unexpected constructs from reaching the evaluation stage.
  • Monitor Resource Usage: For applications particularly vulnerable to DoS, monitoring and alerting on CPU and memory usage can help detect unusual spikes, allowing you to respond to potential attacks swiftly.

Steps To Reproduce

To reproduce this vulnerability in a controlled environment, you would need a Spring application running an affected version and an available end point.

1. Set up a vulnerable Spring application:

  • Create a simple Spring Boot application using a vulnerable Spring Framework version, such as 5.3.25

2. Add additional files to fill out the project. Launch the app with a limited amount of memory by including a memory parameter such as -Xmx512m.

3. Craft a malicious request that employs repetition similar to the one below:

'A' * 2147483647

4. Send the request to an end-point in the application, such as the one defined below:

@RestController
public class ExpressionController {
    @PostMapping("/evaluate")
    public ResponseEntity<String> evaluateExpression(@RequestBody String expression) {
        ExpressionParser parser = new SpelExpressionParser();
        Expression exp = parser.parseExpression(expression);
        String result = exp.getValue(String.class);
        return ResponseEntity.ok(result);
    }
}

5. Send the request to an end-point in the application using a tool such as curl or Postman:

curl -X POST \
  -H "Content-Type: text/plain" \
  -d "'A' * 2147483647" \
  http://localhost:8080/evaluate


6. Observe the impact:

  • Monitor the server's CPU, memory, and disk usage with monitoring tools. The denial-of-service (DoS) impact should be noticeable as the server executes the expression.
  • Server logs may also show system degradation.

Credits

  • Alvaro Muñoz from Micro Focus Fortify Research

Mitigation

Spring Framework 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a corrected version
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
  • A partial workaround is to avoid using user-supplied expressions or to configure SimpleEvaluationContext with forReadOnlyDataBinding() to prevent use of the repetition operator.

Vulnerability Details
ID
CVE-2023-20861
PROJECT Affected
Spring Framework
Versions Affected
<5.2.23, >=5.3.0 <5.3.26, >=6.0.0 <6.0.7
Published date
March 23, 2023
≈ Fix date
March 23, 2023
Severity
Medium
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.