CVE-2024-22271
Denial of Service (DoS) vulnerability in spring-cloud-function-context (Maven)
What is CVE-2024-22271 About?
This Denial of Service (DoS) vulnerability in Spring Cloud Function framework versions 4.1.x prior to 4.1.2 and 4.0.x prior to 4.0.8 allows attackers to cause service disruption. It arises when an application attempts to compose functions with non-existent functions. Exploitation is relatively easy if an attacker can trigger function composition with invalid inputs.
Affected Software
- org.springframework.cloud:spring-cloud-function-context
- >=4.0.0, <4.0.8
- >=4.1.0, <4.1.2
Technical Details
The vulnerability exists in the Spring Cloud Function framework, specifically in versions 4.1.x before 4.1.2 and 4.0.x before 4.0.8. An application becomes vulnerable when it is using the Spring Cloud Function Web module and an attacker can trigger an attempt to compose functions with non-existent functions. When the framework attempts to dynamically compose a series of functions, and one or more specified functions in the composition chain do not exist, the application enters an erroneous state. This state can consume excessive resources, including CPU and memory, or lead to unhandled exceptions that crash the application. The continuous or repeated triggering of such invalid function compositions by an attacker can overload the system, preventing legitimate requests from being processed, effectively causing a Denial of Service.
What is the Impact of CVE-2024-22271?
Successful exploitation may allow attackers to cause a denial-of-service, leading to service unavailability or unresponsiveness of the application.
What is the Exploitability of CVE-2024-22271?
Exploitation of this Denial of Service (DoS) vulnerability is of low to medium complexity. It requires remote access to the Spring Cloud Function Web module. No authentication is likely required for the attacker to trigger this, as the attack relies on making requests that attempt to compose non-existent functions. The main prerequisite is that the application is running an affected version of the Spring Cloud Function framework and uses its Web module. The attacker needs to send requests that attempt to compose functions using invalid or non-existent function names. There are no special conditions beyond crafting the request to trigger the faulty function composition. Risk factors that increase exploitation likelihood include publicly exposed endpoints that allow dynamic function composition through user-controlled input without proper validation of function names.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-22271?
Available Upgrade Options
- org.springframework.cloud:spring-cloud-function-context
- >=4.0.0, <4.0.8 → Upgrade to 4.0.8
- org.springframework.cloud:spring-cloud-function-context
- >=4.1.0, <4.1.2 → Upgrade to 4.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/spring-cloud/spring-cloud-function/releases/tag/v4.1.2
- https://spring.io/security/cve-2024-22271
- https://github.com/spring-cloud/spring-cloud-function/commit/59fe298b67fcb9249db727a7b3a33612fc7a9f75
- https://github.com/spring-cloud/spring-cloud-function
- https://nvd.nist.gov/vuln/detail/CVE-2024-22271
- https://osv.dev/vulnerability/GHSA-j4r7-p9fp-w3f3
- https://spring.io/security/cve-2024-22271
- https://github.com/spring-cloud/spring-cloud-function/issues/1139
What are Similar Vulnerabilities to CVE-2024-22271?
Similar Vulnerabilities: CVE-2022-22979 , CVE-2021-22002 , CVE-2021-22003 , CVE-2021-22004 , CVE-2021-22005
