CVE-2022-22969: Spring Security OAuth Denial-of-Service Vulnerability
Recently, VMware issued a security bulletin to disclose a denial-of-service (dos) vulnerability (CVE-2022-22969) in Spring Security OAuth. This flaw severity is critical. Due to the application does not properly control the consumption of internal resources when processing requests initiating the Authorization Request for the Authorization Code Grant, a remote non-authenticated attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting the system resources using a single session.
Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms. It provides features for implementing both consumers and providers of these protocols using standard Spring and Spring Security programming models and configuration idioms.
CVE-2022-22969 exposes OAuth 2.0 Client applications only. This vulnerability was discovered and responsibly reported by Macchinetta/TERASOLUNA Framework Development Team. According to VMware, VMware isn’t aware that an exploit for this security vulnerability exists in the wild.
Affected version
- Spring Security OAuth
- 2.5.x prior to 2.5.2
- Older, unsupported versions
Unaffected version
- Spring Security OAuth
- 2.5.2+
Solution
At present, the new Spring Security OAuth version has been released to fix the CVE-2022-22947 vulnerability, please upgrade to the unaffected version as soon as possible.
