By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2022-22950

Denial of Service

Affects

Spring Framework

<5.2.20, >=5.3.0 <5.3.17

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring is a Java framework typically used for enterprise and web applications, though it can be used for desktop applications, as well. It is composed of many modules and not all modules are used by every deployment.

‍

This vulnerability (CVE-2022-22950) is in the spring-expression library, which is responsible for evaluating Spring Expression Language (SpEL) expressions. It happens particularly when the SpEL expression calls the doFilter() method of a JavaServer Faces (JSF) component directly, which was not supported in these versions of Spring Framework due to changes in method signatures aligning with the Servlet 3.0 specification.

‍

The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case, the vulnerability allows susceptible SpEL expressions to use most system resources and deny other users access to the system.

‍

This issue affects multiple versions of spring-expression from Spring Framework.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-expression
Affected versions: <5.2.20, >=5.3.0 <5.3.17
GitHub repository: https://github.com/spring-projects/spring-framework
Published packages: https://central.sonatype.com/artifact/org.springframework/spring-expression
Package manager: Maven
Fixed in: NES for Spring Framework v4.3.32 and v5.3.44

‍

Vulnerability Info

This Medium-severity vulnerability is found in the spring-expression.jar module of the Spring Framework.

When user-supplied Spring Expression Language (SpEL) expressions with repetition are evaluated, it is possible to exhaust system resources through excessive computation such as heavy mathematical operations. An example might be T(java.lang.Math).pow(2, 1000000), which attempts to compute 2 raised to the power of 1,000,000. In environments where excessive mathematical computation is not limited, this monopolizes the system resources thereby denying other users access or even crashes the system.

‍

Consider the following mitigation options if upgrading to a corrected version of the library is not immediately available:

Restrict SpEL Expressions and Validate Inputs:
- Restrict or sanitize user input that could lead to malicious or excessive expressions.
- Whitelist valid expressions if possible, and avoid directly evaluating user-provided input within SpEL. This reduces the risk of users injecting complex expressions.
  ‍
Implement Expression Limits:‍
- Set limits on computation within expressions by controlling recursion depth or enforcing timeouts if your system allows it.
- For expressions involving math operations, restrict the range of input values so that calculations like high powers or factorials don’t overwhelm resources.

Monitor Resource Usage: For applications particularly vulnerable to DoS, monitoring and alerting on CPU and memory usage can help detect unusual spikes, allowing you to respond to potential attacks swiftly.

‍

Steps To Reproduce

To reproduce this vulnerability in a controlled environment, you would need a Spring application running an affected version and an available end point.

1. Set up a vulnerable Spring application:

Create a simple Spring Boot application using a vulnerable Spring Framework version, such as 5.3.16

2. Add additional files to fill out the project. Launch the app.

3. Craft a malicious request that, when parsed as a SpEL expression, attempts to invoke a method like doFilter() directly on a JSF component in a way that leads to an IllegalStateException:

T(java.lang.Math).pow(2, 10000000)

‍

4. Send the request to an end-point in the application, such as the one defined below:

@RestController
public class VulnerableController {

    private final ExpressionParser parser = new SpelExpressionParser();

    @GetMapping("/evaluate")
    public String evaluate(@RequestParam String expression) {
        return parser.parseExpression(expression).getValue(String.class);
    }
}

‍

5. Send the request to an end-point in the application using a tool such as curl or Postman:

http://localhost:8080/evaluate?expression=T(java.lang.Math).pow(2, 10000000)

‍

6. Observe the impact:

Monitor the server's CPU, memory, and disk usage with monitoring tools (particularly CPU usages since this flaw causes excessive computation). The denial-of-service (DoS) impact should be noticeable as the server executes the expression.
Server logs may also show system degradation.

Credits

Wenhao Wang from Meituan Security Response Center

‍

Mitigation

Spring Framework 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Framework
Leverage a commercial support partner like HeroDevs for post-EOL security support.
A partial workaround is to avoid using user-supplied expressions.

‍