CVE-2021-22112
Information Disclosure vulnerability in spring-security-bom (Maven)
What is CVE-2021-22112 About?
Bouncy Castle's `X509LDAPCertStoreSpi.java` (pre-1.73) does not correctly escape wildcard characters in X.500 names within certs, leading to LDAP injection and information disclosure. An attacker can craft a self-signed certificate to manipulate LDAP search queries. Exploitation is moderately complex, leveraging blind LDAP injection techniques.
Affected Software
- org.springframework.security:spring-security-bom
- >5.3.0, <5.3.8
- >5.4.0, <5.4.4
- <5.2.9
- org.springframework.security:spring-security-web
- >5.3.0, <5.3.8
- >5.4.0, <5.4.4
- <5.2.9
Technical Details
The vulnerability exists in the X509LDAPCertStoreSpi.java class within Bouncy Castle versions prior to 1.73. This class is used for validating certificate paths via the CertPath API and interacts with LDAP directories. The flaw is that the implementation does not properly sanitize or escape wildcard characters (e.g., *, (, )) when processing X.500 names (subject or issuer) from certificates. An attacker can craft a self-signed certificate whose subject name contains these special characters (e.g., CN=Subject*)(objectclass=). When this certificate is processed, its subject name is incorporated directly into an LDAP search filter. The unescaped special characters become part of the LDAP query, allowing an attacker to inject arbitrary LDAP filter syntax. This enables blind LDAP injection, where an attacker can enumerate valid attribute values by observing the LDAP server's responses (or lack thereof), thereby leading to information disclosure from the LDAP directory regarding user accounts, groups, or other sensitive attributes, depending on the directory's structure.
What is the Impact of CVE-2021-22112?
Successful exploitation may allow attackers to extract sensitive information from the LDAP directory, such as usernames, organizational structure, or system configurations, leading to unauthorized data access and potential further system compromise.
What is the Exploitability of CVE-2021-22112?
Exploitation complexity is moderate, requiring an understanding of LDAP query syntax and blind LDAP injection techniques. An attacker needs to craft a specific self-signed certificate which they then present to a system using the vulnerable Bouncy Castle component for certificate path validation. Authentication is generally not required for the certificate validation process itself, as certificates are often processed from untrusted sources. No elevated privileges are necessary on the target system, only the ability to submit a certificate for processing. This is typically a remote attack. The primary risk factors are systems that perform X.509 certificate path validation using affected Bouncy Castle versions and connect to LDAP directories, especially if those directories contain sensitive data and expose subtle differences in responses for successful versus failed queries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22112?
Available Upgrade Options
- org.springframework.security:spring-security-bom
- <5.2.9 → Upgrade to 5.2.9
- org.springframework.security:spring-security-bom
- >5.3.0, <5.3.8 → Upgrade to 5.3.8
- org.springframework.security:spring-security-bom
- >5.4.0, <5.4.4 → Upgrade to 5.4.4
- org.springframework.security:spring-security-web
- <5.2.9 → Upgrade to 5.2.9
- org.springframework.security:spring-security-web
- >5.3.0, <5.3.8 → Upgrade to 5.3.8
- org.springframework.security:spring-security-web
- >5.4.0, <5.4.4 → Upgrade to 5.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2021/02/19/7
- https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3E
- https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3E
- https://github.com/spring-projects/spring-security/releases/tag/5.4.4
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3E
- https://www.jenkins.io/security/advisory/2021-02-19
- https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-22112?
Similar Vulnerabilities: CVE-2021-38297 , CVE-2020-28052 , CVE-2016-1000338 , CVE-2024-29857 , CVE-2020-5421
