As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861). Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.
Update: Another Expression DoS Found in Spring - CVE-2023-20863Three weeks after the announcement of CVE-2023-20861, Jazzer's OSS-Fuzz integration found a second, more severe Expression DoS vulnerability in Spring. We wrote a separate blog post including mitigation advice about the new vulnerability.
|
Vulnerability Description
It is possible for a user to provide a specially crafted SpEL expression that causes a denial-of-service (DoS) condition. SpEL expression evaluation can result in an OutOfMemoryError when a large string is supplied to the repeat operator (<string> * <integer>). For example, the following SpEL expression can trigger the issue:
'xyz' * 941859717
Since Spring Framework 6.0.x uses String#repeat (introduced in Java 11) for the implementation, the OutOfMemoryError is somewhat superficial since no attempt is made to allocate a string of the requested size. However, in Spring Framework 5.3.x (and previous versions) a StringBuilder is used to create the repeated text in a for-loop which can lead to a legitimate OutOfMemoryError.
Furthermore, the repeat operator can be used as a "gadget" to easily generate large strings in SpEL expressions that can then be passed to other SpEL operators (such as the matches operator) or components, potentially resulting in undesired effects.
Affected Versions:
- 6.0.0 to 6.0.6
- 5.3.0 to 5.3.25
- 5.2.0.RELEASE to 5.2.22.RELEASE
- Older, unsupported versions are also affected
Mitigation
Fixes have already been released. These include adding limit checks for the effective size of repeated text as well as the length of a regular expression supplied to the matches operator.
Users of affected versions should upgrade to a new version that contains the fixes:
- 6.0.x users should upgrade to 6.0.7+.
- 5.3.x users should upgrade to 5.3.26+.
- 5.2.x users should upgrade to 5.2.23.RELEASE+.
Users of older, unsupported versions should upgrade to 6.0.7+ or 5.3.26+. No other steps are necessary.
References:
- https://spring.io/security/cve-2023-20861
- https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RL:O
- https://cwe.mitre.org/data/definitions/770.html
Acknowledgements
We are grateful to the Spring maintainers for quickly responding to the issue and providing a fix and new releases.