Notifications

Loading…

Spring Framework Fixes Severe DoS Vulnerability in Latest Releases

A Critical Security Flaw Uncovered in Popular Java Framework Spring

CVE-2024-22233 - Spring Framework Web DoS Vulnerability

A severe vulnerability has been discovered in the popular Java framework Spring that could allow denial-of-service (DoS) attacks.

The vulnerability, tracked as CVE-2024-22233, affects Spring Framework versions 6.0.15 and 6.1.2. It was responsibly disclosed by a team of security researchers including Aleksander Blomskøld, LiveOverflow, ZetaTwo, anasbekar, zzgoon, 0xLegacyy, xyzeva, and AcroTiger.

The vulnerability arises when Spring MVC and Spring Security 6.1.6+ or 6.2.1+ are used together in an application, a common scenario for Spring Boot apps using the spring-boot-starter-web and spring-boot-starter-security dependencies.

In this configuration, a specially crafted HTTP request can trigger a DoS condition, making the application unresponsive.

Denial-of-service attacks are a serious threat, capable of taking down vital business systems and causing major disruption. The vulnerability in Spring is therefore highly concerning given its widespread use. Spring Framework is one of the most popular Java frameworks, providing key capabilities for developing Java enterprise applications.

The affected versions, 6.0.15 and 6.1.2, are currently being used by Spring Boot versions 3.1.7 and 3.2.1 respectively.

Upon responsible disclosure of the issue, the Spring team immediately released patched versions - 6.0.16 and 6.1.3 - to address the vulnerability. They recommend that all users of affected Spring Framework versions upgrade as soon as possible. The issue is now resolved for those on the latest releases.

While awaiting the upgrade, the Spring team advises that no other mitigations are required. They have confirmed that older framework versions are not susceptible, so users of Spring 5 or earlier do not need to take action. The vulnerability is also not present in Boot alone, only arising from the specific integration of Spring MVC and Spring Security.

The real-world impact of this vulnerability has likely been minimal so far. The issue was responsibly disclosed and patched quickly before knowledge became widespread. However, attackers may still attempt to exploit any unpatched systems.

Quick action from the open-source community contained the vulnerability before it could be exploited at scale. The researchers acted ethically in disclosing privately to the Spring team, who in turn responded rapidly with fixes. This prevented attackers from learning about the issue through public channels.

The Spring Framework has over 30 million downloads per month and underpins countless business-critical applications and services. A vulnerability that could take down those systems is highly serious, so credit goes to the security researchers and Spring team for their proactive handling of this issue.

This is not the first security flaw uncovered in the popular Java framework, however. In 2022, Spring developers had to scramble to fix CVE-2022-22963, a remote code execution vulnerability dubbed "Spring4Shell" that gained widespread notoriety.

While not as severe, the latest DoS vulnerability highlights the need for constant vigilance, regular updates and proactive security research on foundational open source libraries like Spring.

The risks extend beyond Spring itself to the many applications built on top of it. Integrating patched versions is critical for associated projects like Spring Boot to remain secure for their users. Developers should audit their dependency trees to identify any unpatched Spring Framework versions that need upgrading.

Read Also
1 comment
  1. sanath pollemore
    nice post