CVE-2018-1257
Denial of Service vulnerability in spring-core (Maven)
What is CVE-2018-1257 About?
This vulnerability in Spring Framework's STOMP over WebSocket endpoints, when using a simple in-memory broker, allows a malicious user to craft a Regular Expression leading to a Denial of Service. The regex can consume excessive resources, making the service unresponsive. Exploitation requires sending a specially crafted message and is moderately easy.
Affected Software
- org.springframework:spring-core
- >5.0.0, <5.0.6
- <4.3.17
Technical Details
The vulnerability affects applications built with Spring Framework that expose STOMP over WebSocket endpoints, specifically when configured to use a simple, in-memory STOMP broker via the spring-messaging module. The core of the issue lies in how the broker processes messages, particularly if it performs regular expression matching or parsing on user-provided input. A malicious user can craft a STOMP message containing a 'catastrophic backtracking' regular expression or an excessively complex string that, when processed by the broker's underlying regex engine, causes it to consume an inordinate amount of CPU and memory resources. This resource exhaustion leads to a Denial of Service (DoS), rendering the STOMP endpoint and potentially the entire application unresponsive to legitimate users.
What is the Impact of CVE-2018-1257?
Successful exploitation may allow attackers to consume excessive system resources, leading to a denial of service (DoS) for legitimate users and making the application unresponsive.
What is the Exploitability of CVE-2018-1257?
Exploitation requires the attacker to be able to send messages to a STOMP over WebSocket endpoint that uses a simple, in-memory broker in a Spring Framework application. The attack is remote and typically requires no authentication to send the initial message to the endpoint. The attacker does not need elevated privileges on the system, only network access to the exposed STOMP endpoint. The complexity involves crafting a regular expression that is computationally expensive for the regex engine to process. Special conditions include the endpoint being exposed and using the vulnerable Spring Messaging configuration. The ease with which a malicious message can be sent to an open STOMP endpoint increases the likelihood of a DoS if such a regex is discovered.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1257?
About the Fix from Resolved Security
The patch introduces the ability to disable or rename the selector header used for evaluating Spring EL expressions in subscription messages, which previously defaulted to "selector" and could not be turned off. This change fixes CVE-2018-1257 by allowing applications to set the selector header name to null or blank, effectively preventing clients from injecting arbitrary Spring EL expressions that could lead to remote code execution or information disclosure.
Available Upgrade Options
- org.springframework:spring-core
- <4.3.17 → Upgrade to 4.3.17
- org.springframework:spring-core
- >5.0.0, <5.0.6 → Upgrade to 5.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2018-1257
- https://access.redhat.com/errata/RHSA-2018:3768
- https://github.com/advisories/GHSA-rcpf-vj53-7h2m
- https://access.redhat.com/errata/RHSA-2018:3768
- https://pivotal.io/security/cve-2018-1257
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://pivotal.io/security/cve-2018-1257
- https://github.com/spring-projects/spring-framework/commit/ff2228fdaf131d57b5c8c5918ee8d07c6dd9bba
- https://www.oracle.com/security-alerts/cpujan2020.html
What are Similar Vulnerabilities to CVE-2018-1257?
Similar Vulnerabilities: CVE-2018-1270 , CVE-2017-8045 , CVE-2017-4995 , CVE-2017-8046 , CVE-2015-5211
