Описание
In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions.
Specifically, an application is vulnerable when all of the following are true:
User is using Spring Cloud Function Web module
Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8
References https://spring.io/security/cve-2022-22979 https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/ History 2020-01-16: Initial vulnerability report published.
A flaw was found in the Spring Cloud Function framework. Affected versions of this package are vulnerable to denial of service (DoS) when attempting to compose functions with nonexisting functions. This flaw allows an attacker to trigger a cache overflow.
Отчет
The vulnerability in the Spring Cloud Function framework, which allows an attacker to trigger a cache overflow by attempting to compose functions with nonexisting functions, represents a important severity issue due to its potential to facilitate Denial of Service (DoS) attacks. Such attacks can exploit the cache overflow mechanism to consume excessive computational resources, thereby degrading system performance and rendering the application unavailable to legitimate users.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.springframework.cloud/spring-cloud-function-context | Not affected | ||
| Red Hat Data Grid 8 | org.springframework.cloud/spring-cloud-function-context | Not affected | ||
| Red Hat JBoss Data Grid 7 | org.springframework.cloud/spring-cloud-function-context | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-cloud-function-context | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | spring-cloud-function-context | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.springframework.cloud/spring-cloud-function-context | Affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions. Specifically, an application is vulnerable when all of the following are true: User is using Spring Cloud Function Web module Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8 References https://spring.io/security/cve-2022-22979 https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/ History 2020-01-16: Initial vulnerability report published.
Spring Cloud Function Framework vulnerable to Denial of Service
Уязвимость веб-модуля программной платформы Spring Cloud Function, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании»
7.5 High
CVSS3