CVE-2022-22950 SpEL expressions in older versions of Spring Framework 5.3.0 - 5.3.16 can be used to cause a denial of service.

This denial of service condition can occur if the user passes a SpEL expression that calls the doFilter() method of a JSF component directly. The doFilter() method is not supported in version 5.3.0 or 5.3.1 of the Spring Framework due to the change in the doFilter() signature. Before version 5.3.0, doFilter() was supported and was changed to match the signature required by the Servlet 3.0 specification. In versions of the Spring Framework prior to 5.3.0 and 5.3.1, doFilter() returns false, which does not indicate an error and allows the SpEL expression to proceed to the next method call. If a user passes a SpEL expression that calls the doFilter() method of a JSF component, the doFilter() method is not supported, and an IllegalStateException is thrown. This can lead to a denial of service condition for the application if the user passes a SpEL expression that calls the doFilter() method of a JSF component directly.

CVE-2023-23226

This denial of service condition can occur if the user passes an expression that accesses the doFilter() method of a JSF component directly. The doFilter() method is not supported in versions 5.3.0 or 5.3.1 of the Spring Framework due to the change in the doFilter() signature. Before version 5.3.0, doFilter() was supported and was changed to match the signature required by the Servlet 3.0 specification. In versions of the Spring Framework prior to 5.3.0 and 5.3.1, doFilter() returns false, which does not indicate an error and allows the SpEL expression to proceed to the next method call, even if it calls a method that is not supported in versions 5.3.0 or 5.3.1 of the Spring Framework because it is not present in versions prior to these two releases in any release of the Spring Framework before version 5.3 (not all applicable methods are present in all releases). If a user passes an expression that accesses a method that is not supported by versions 5.* of the Spring Framework, an IllegalStateException is thrown without fail-safe behavior by any other code inside this container due to no return value check being performed within this container at run time

Products Affected

All versions of the Spring Framework prior to 5.3.0 and 5.3.1 are affected by this issue.

Symptoms of the DoS Condition

If a user passes a SpEL expression that calls the doFilter() method of a JSF component directly, the application experiences an IllegalStateException and cannot continue. Some possible symptoms can be:
- Outdated or incorrect version of the Spring Framework
- Permission denied exception during spring-servlet startup
- Unable to create new instances of long running processes
- Incorrect stack trace for the application

Timeline

Published on: 04/01/2022 23:15:00 UTC
Last modified on: 06/22/2022 13:53:00 UTC

References