Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.
A Denial of Service (DoS) vulnerability (CVE-2022-22971) has been identified in the spring-messaging package in Spring Framework, which allows attackers to overwhelm servers with special crafted requests.
Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.
This issue affects multiple versions of spring-messaging from Spring Framework.
Details
Module Info
- Product: Spring Framework
- Affected packages: spring-messaging
- Affected versions: <5.2.22, >=5.3.0 <5.3.20
- GitHub repository: https://github.com/spring-projects/spring-framework
- Package manager: Maven
- Fixed in: NES for Spring Framework v4.3.32 and v5.3.43
Vulnerability Info
A Spring application with a STOMP over WebSocket endpoint can be exploited by an authenticated user to perform a denial of service attack.
An authenticated user can exploit the system by continuously sending a stream of CONNECT messages. This forces the server to repeatedly reinitialize memory for the session and generate responses, potentially leading to resource exhaustion and making the system vulnerable to a denial of service attack.
Steps To Reproduce
Set up a server to handle STOMP WebSockets using the provided Spring example. Downgrade Spring Boot to a vulnerable version, such as 2.7.0. In the complete folder, add a test to GreetingIntegrationTests that sends multiple CONNECT messages.
@Test
public void multipleConnect(CapturedOutput output) throws ExecutionException, InterruptedException, IOException {
WebSocketClient client = new StandardWebSocketClient();
WebSocketHandler handler = new LoggingWebSocketHandlerDecorator(new TextWebSocketHandler() {
@Override
protected void handleTextMessage(WebSocketSession session, TextMessage message) throws Exception {
System.out.println("Received message: " + message.getPayload());
}
});
WebSocketSession session = client.doHandshake(handler, "ws://localhost:{port}/gs-guide-websocket", port).get();
for (int i=0; i<100; i++) {
// Send connect message to the server
session.sendMessage(new TextMessage("CONNECT\naccept-version:1.2\n\n\u0000"));
}
Assertions.assertThat(output).contains("Ignoring CONNECT in session ").contains(". Already connected.");
}
This test should pass on patched versions by ignoring additional connect messages. In versions that are vulnerable, sessions will reinitialize every time.
Credits
- David Delbecq and Rémy Vermeiren from HMS Industrial Networks, Business Unit Ewon, R&D Department - Software
Mitigation
Spring Framework 4.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Framework.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
