CVE-2022-22971
denial of service attack vulnerability in spring-messaging (Maven)
What is CVE-2022-22971 About?
This vulnerability affects Spring Framework versions prior to 5.3.20+, 5.2.22+, and other unsupported versions, making applications with STOMP over WebSocket endpoints susceptible to a denial of service attack. An authenticated user can trigger this DoS. Exploitation involves a malicious action by an authenticated user via STOMP over WebSocket.
Affected Software
- org.springframework:spring-messaging
- <5.2.22.RELEASE
- >5.3.0, <5.3.20
Technical Details
The vulnerability exists in the Spring Framework's handling of STOMP over WebSocket connections. An authenticated user can send specific malformed or excessively resource-intensive messages or sequences of messages over the STOMP WebSocket endpoint. This improper processing by the framework leads to resource exhaustion (e.g., CPU, memory, or connection limits) on the server side, resulting in a denial of service for other users or the entire application. The attack vector specifically leverages the STOMP protocol implemented over WebSockets.
What is the Impact of CVE-2022-22971?
Successful exploitation may allow attackers to disrupt services, cause application unresponsiveness, and render the affected system unavailable to legitimate users.
What is the Exploitability of CVE-2022-22971?
Exploitation of this denial of service vulnerability requires prior authentication to the application, specifically as a user with access to the STOMP over WebSocket endpoint. The complexity is moderate, as an attacker needs to understand the STOMP protocol and how to craft messages that cause resource issues without being immediately disconnected. No elevated privileges beyond a standard authenticated user are needed. This is a remote vulnerability, as the attack is performed over a network connection to the WebSocket endpoint. The primary risk factors are applications that expose STOMP over WebSocket without sufficient rate limiting, connection management, or robust handling of authenticated client messages.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tchize | Link | PoC for CVE-2022-22971 |
What are the Available Fixes for CVE-2022-22971?
About the Fix from Resolved Security
The patch prevents processing multiple CONNECT (or STOMP) messages for the same session by checking if a session is already established and, if so, ignoring subsequent CONNECT requests. This fixes CVE-2022-22971 by blocking a session fixation attack vector where an attacker could exploit repeated CONNECT frames to hijack or disrupt user sessions.
Available Upgrade Options
- org.springframework:spring-messaging
- <5.2.22.RELEASE → Upgrade to 5.2.22.RELEASE
- org.springframework:spring-messaging
- >5.3.0, <5.3.20 → Upgrade to 5.3.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-22971
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220616-0003/
- https://tanzu.vmware.com/security/cve-2022-22971
- https://github.com/spring-projects/spring-framework/commit/dc2947c52df18d5e99cad03383f7d6ba13d031fd
- https://github.com/spring-projects/spring-framework
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/spring-projects/spring-framework/commit/159a99bbafdd6c01871228113d7042c3f83f360f
- https://osv.dev/vulnerability/GHSA-rqph-vqwm-22vc
- https://tanzu.vmware.com/security/cve-2022-22971
What are Similar Vulnerabilities to CVE-2022-22971?
Similar Vulnerabilities: CVE-2022-22950 , CVE-2022-22964 , CVE-2021-22965 , CVE-2021-22951 , CVE-2020-5407
