Bug 2069414 (CVE-2022-22950)

Summary: CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dkreling, dosoudil, drieden, emingora, ewolinet, fjuma, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, jcantril, jnethert, jochrist, jolee, jrokos, jross, jschatte, jstastny, jwon, kaycoth, krathod, kverlaen, lgao, lsurette, lthon, michal.skrivanek, mnovotny, mosmerov, mperina, msochure, msvehla, mszynkie, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, rareddy, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sbonazzo, sdouglas, smaestri, sthorger, swoodman, tmielke, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-expression 5.3.17 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-31 18:25:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2074093, 2073177, 2084027    
Bug Blocks: 2069417    

Description Pedro Sampaio 2022-03-28 20:56:48 UTC 
In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

References:

https://tanzu.vmware.com/security/cve-2022-22950
Comment 3 juneau 2022-04-11 14:19:49 UTC 
services-subscription-watch affected/delegated:

services-subscription-watch/rhsm/auto-registration-listener:7fe6e34/org.springframework:spring-expression-5.3.2 https://gitlab.cee.redhat.com/rhsm/automatic-registration/blob/master/pom.xml
services-subscription-watch/rhsm/rhsm-auto-registration-listener:7fe6e34/org.springframework:spring-expression-5.3.2 https://gitlab.cee.redhat.com/rhsm/automatic-registration/blob/production/pom.xml
services-subscription-watch/rhsm/marketplace-worker:28e1945/org.springframework:spring-expression-5.3.15 https://quay.io/cloudservices/rhsm-subscriptions:28e1945
services-subscription-watch/rhsm/swatch-system-conduit:latest/org.springframework:spring-expression-5.3.15 https://quay.io/cloudservices/swatch-system-conduit:latest
Comment 7 errata-xmlrpc 2022-07-07 14:22:53 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 8 errata-xmlrpc 2022-07-14 12:54:23 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555
Comment 10 errata-xmlrpc 2022-08-04 04:48:16 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 12 Product Security DevOps Team 2022-08-31 18:25:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22950
Comment 13 errata-xmlrpc 2022-12-14 13:17:28 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761