CVE-2022-22970
DoS vulnerability in org.springframework:spring-beans
What is CVE-2022-22970 About?
This vulnerability is a Denial of Service (DoS) attack affecting Spring Framework versions prior to 5.3.20+ and 5.2.22+. Applications handling file uploads are susceptible if they use data binding for MultipartFile or javax.servlet.Part. The vulnerability is relatively easy to exploit.
Affected Software
- org.springframework:spring-beans
- <5.2.22.RELEASE
- >5.3.0, <5.3.20
Technical Details
The vulnerability exists in Spring Framework applications that predate versions 5.3.20+ and 5.2.22+, as well as older unsupported versions. Specifically, applications that process file uploads and rely on data binding to assign a `MultipartFile` or `javax.servlet.Part` object to a field within a model are vulnerable. An attacker can craft a malicious file upload request that, when processed by the application's data binding mechanisms, causes an excessive consumption of resources, leading to a denial of service. The core attack vector involves sending a specially crafted file upload that triggers the DoS condition during data binding.
What is the Impact of CVE-2022-22970?
Successful exploitation may allow attackers to render the application unresponsive or unavailable, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2022-22970?
Exploitation involves crafting malicious file upload requests and is of low to medium complexity. No specific authentication or high privileges are typically required, as the attack targets functionality available to users interacting with file upload features. Remote access is possible, as attackers can send these requests over the network. The main prerequisite is that the application uses vulnerable Spring Framework versions and relies on data binding for `MultipartFile` or `javax.servlet.Part`. Risk factors include publicly accessible endpoints with file upload functionality.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Performant-Labs | Link | PoC for CVE-2022-22970 |
What are the Available Fixes for CVE-2022-22970?
About the Fix from Resolved Security
The patch fixes CVE-2022-22970 by updating Spring’s property introspection logic to ensure that read-only properties of types like ClassLoader, ProtectionDomain, and AutoCloseable are ignored and not bound during bean instantiation. This prevents an attacker from manipulating such sensitive properties via data binding, which could be used for privilege escalation or other attacks. It specifically restricts introspection on these types and special-cases URL beans to avoid loading remote content via data binding.
Available Upgrade Options
- org.springframework:spring-beans
- <5.2.22.RELEASE → Upgrade to 5.2.22.RELEASE
- org.springframework:spring-beans
- >5.3.0, <5.3.20 → Upgrade to 5.3.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://tanzu.vmware.com/security/cve-2022-22970
- https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583
- https://security.netapp.com/advisory/ntap-20220616-0006
- https://github.com/spring-projects/spring-framework
- https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2
- https://tanzu.vmware.com/security/cve-2022-22970
- https://nvd.nist.gov/vuln/detail/CVE-2022-22970
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220616-0006/
What are Similar Vulnerabilities to CVE-2022-22970?
Similar Vulnerabilities: CVE-2022-24434 , CVE-2022-3517 , CVE-2022-25858 , CVE-2022-31030 , CVE-2022-29078
