An Expression Denial of Service (DoS) vulnerability was found by Code Intelligence in the Spring Framework, a popular Java application development framework.
“As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861),” Dae Glendowne, an application security engineer at Code Intelligence wrote in a blog post. “Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.”
In Spring Framework 5.3.x and previous versions, a StringBuilder is used to create the repeated text in a for-loop which can lead to a legitimate OutOfMemoryError that can then be used as a “gadget” to easily generate large strings in SpEL expressions, which can result in a vulnerability.
By exploiting the vulnerability, it is possible for a user to provide a specially crafted SpEL expression that causes a DoS condition, according to Code Intelligence.
One already released fix adds limit checks for the effective size of repeated text as well as the length of a regular expression supplied to the matches operator. Users of older, unsupported versions should upgrade to versions 6.0.7+ or 5.3.26+ for the fix.