Just recently, our open-source fuzzing engine Jazzer found an Expression DoS vulnerability in Spring (CVE-2023-20861). Now, three weeks later, Jazzer found another similar Expression DoS in the Spring framework, labeled CVE-2023-20863. This new finding has an even higher CVSS score of 7.5 (high), compared to the previous finding which came in at 5.3 (medium). Both vulnerabilities were found within Google's OSS-Fuzz, where Jazzer has been integrated as part of an ongoing collaboration between Code Intelligence and Google's open-source security team, with the goal of securing open-source projects.
Spring is a popular framework used for web application development in Java. As such, vulnerabilities in Spring can have a significant impact on applications that depend on the affected version.
Description of CVE-2023-20863
Users can input a specifically manipulated SpEL expression that can trigger a denial-of-service (DoS) scenario.
Affected Versions:
- 6.0.0 to 6.0.7
- 5.3.0 to 5.3.26
- 5.2.0.RELEASE to 5.2.23.RELEASE
Outdated, unsupported versions are also susceptible.
Mitigation and Remediation
Fixes have been issued to address the CVE, which involve implementing limit checks on the size of repeated text and the length of regular expressions used in the matches operator. Users of impacted versions are strongly advised to upgrade to a newer version that includes the fixes:
- 6.0.x users should upgrade to 6.0.8+.
- 5.3.x users should upgrade to 5.3.27+.
- 5.2.x users should upgrade to 5.2.24.RELEASE+.
Users of older, unsupported versions should upgrade to 6.0.7+ or 5.3.26+. No other steps are necessary.
References
- https://spring.io/security/cve-2023-20863
- https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O
- https://cwe.mitre.org/data/definitions/770.html
Acknowledgments
We express our appreciation to the Spring maintainers for their fast response in addressing the matter and delivering a fix through new releases.