cvelistv5 - cve-2022-25897

URL	Tags
report@snyk.io	https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5	Patch, Third Party Advisory
report@snyk.io	https://github.com/eclipse/milo/issues/1030	Issue Tracking, Patch, Third Party Advisory
report@snyk.io	https://github.com/eclipse/milo/pull/1031	Patch, Third Party Advisory
report@snyk.io	https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191	Third Party Advisory

▼	Vendor	Product
	n/a	org.eclipse.milo:sdk-server

rhsa-2022_8902

Vulnerability from csaf_redhat

Published

2022-12-08 13:25

Modified

2024-11-24 12:25

Summary

Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.18.3 release and security update

Notes

Topic

A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Security Fix(es): * commons-text: apache-commons-text: variable interpolation (CVE-2022-42889) * org.eclipse.milo-sdk-server: sdk-server: Denial of Service (CVE-2022-25897) * reactor-netty-http: Log request headers in some cases of invalid HTTP requests (CVE-2022-31684) For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* commons-text: apache-commons-text: variable interpolation (CVE-2022-42889)\n\n* org.eclipse.milo-sdk-server: sdk-server: Denial of Service (CVE-2022-25897)\n\n* reactor-netty-http: Log request headers in some cases of invalid HTTP requests (CVE-2022-31684)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:8902",
        "url": "https://access.redhat.com/errata/RHSA-2022:8902"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q4"
      },
      {
        "category": "external",
        "summary": "2135435",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
      },
      {
        "category": "external",
        "summary": "2136188",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136188"
      },
      {
        "category": "external",
        "summary": "2141353",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141353"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8902.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.18.3 release and security update",
    "tracking": {
      "current_release_date": "2024-11-24T12:25:56+00:00",
      "generator": {
        "date": "2024-11-24T12:25:56+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:8902",
      "initial_release_date": "2022-12-08T13:25:41+00:00",
      "revision_history": [
        {
          "date": "2022-12-08T13:25:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-12-08T13:25:41+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-24T12:25:56+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHINT Camel-Springboot 3.18.3",
                "product": {
                  "name": "RHINT Camel-Springboot 3.18.3",
                  "product_id": "RHINT Camel-Springboot 3.18.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:camel_spring_boot:3.18.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-25897",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2022-10-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2136188"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Eclipse Milo SDK Server. This flaw allows an attacker to consume the application memory, leading to a denial of service by sending specific requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "sdk-server: Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-Springboot 3.18.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25897"
        },
        {
          "category": "external",
          "summary": "RHBZ#2136188",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136188"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25897",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25897"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25897",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25897"
        }
      ],
      "release_date": "2022-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-12-08T13:25:41+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.18.3 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/camel_spring_boot_reference/index",
          "product_ids": [
            "RHINT Camel-Springboot 3.18.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8902"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-Springboot 3.18.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "sdk-server: Denial of Service"
    },
    {
      "cve": "CVE-2022-31684",
      "cwe": {
        "id": "CWE-117",
        "name": "Improper Output Neutralization for Logs"
      },
      "discovery_date": "2022-11-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2141353"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Reactor Netty HTTP Server, which may log request headers in some cases of invalid HTTP requests. This could allow an attacker to access privileged information when WARN level logging is enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "reactor-netty-http: Log request headers in some cases of invalid HTTP requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-Springboot 3.18.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31684"
        },
        {
          "category": "external",
          "summary": "RHBZ#2141353",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141353"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31684",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31684"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31684",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31684"
        }
      ],
      "release_date": "2022-10-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-12-08T13:25:41+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.18.3 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/camel_spring_boot_reference/index",
          "product_ids": [
            "RHINT Camel-Springboot 3.18.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8902"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-Springboot 3.18.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "reactor-netty-http: Log request headers in some cases of invalid HTTP requests"
    },
    {
      "cve": "CVE-2022-42889",
      "cwe": {
        "id": "CWE-1188",
        "name": "Initialization of a Resource with an Insecure Default"
      },
      "discovery_date": "2022-10-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2135435"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9.  The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-text: variable interpolation RCE",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n  - Usage of specific methods that interpolate the variables as described in the flaw\n  - Usage of external input for those methods\n  - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-Springboot 3.18.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-42889"
        },
        {
          "category": "external",
          "summary": "RHBZ#2135435",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
        },
        {
          "category": "external",
          "summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
          "url": "https://blogs.apache.org/security/entry/cve-2022-42889"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
          "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
        },
        {
          "category": "external",
          "summary": "https://seclists.org/oss-sec/2022/q4/22",
          "url": "https://seclists.org/oss-sec/2022/q4/22"
        }
      ],
      "release_date": "2022-10-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-12-08T13:25:41+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.18.3 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/camel_spring_boot_reference/index",
          "product_ids": [
            "RHINT Camel-Springboot 3.18.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8902"
        },
        {
          "category": "workaround",
          "details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
          "product_ids": [
            "RHINT Camel-Springboot 3.18.3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-Springboot 3.18.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-text: variable interpolation RCE"
    }
  ]
}

gsd-2022-25897

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Aliases

CVE-2022-25897

Aliases

CVE-2022-25897

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-25897",
    "description": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.",
    "id": "GSD-2022-25897",
    "references": [
      "https://access.redhat.com/errata/RHSA-2022:8902"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-25897"
      ],
      "details": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.",
      "id": "GSD-2022-25897",
      "modified": "2023-12-13T01:19:27.635850Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "report@snyk.io",
        "DATE_PUBLIC": "2022-09-08T05:00:11.747866Z",
        "ID": "CVE-2022-25897",
        "STATE": "PUBLIC",
        "TITLE": "Denial of Service (DoS)"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "org.eclipse.milo:sdk-server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "0.6.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Vera Mens"
        },
        {
          "lang": "eng",
          "value": "Uri Katz"
        },
        {
          "lang": "eng",
          "value": "Sharon Brizinov of Team82 (Claroty Research)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (DoS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191",
            "refsource": "MISC",
            "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"
          },
          {
            "name": "https://github.com/eclipse/milo/pull/1031",
            "refsource": "MISC",
            "url": "https://github.com/eclipse/milo/pull/1031"
          },
          {
            "name": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5",
            "refsource": "MISC",
            "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"
          },
          {
            "name": "https://github.com/eclipse/milo/issues/1030",
            "refsource": "MISC",
            "url": "https://github.com/eclipse/milo/issues/1030"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,0.6.8)",
          "affected_versions": "All versions before 0.6.8",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2022-09-13",
          "description": "The package org.eclipse.milo:sdk-server before 0.6.8 is vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.",
          "fixed_versions": [
            "0.6.8"
          ],
          "identifier": "CVE-2022-25897",
          "identifiers": [
            "CVE-2022-25897"
          ],
          "not_impacted": "All versions starting from 0.6.8",
          "package_slug": "maven/org.eclipse.milo/sdk-server",
          "pubdate": "2022-09-08",
          "solution": "Upgrade to version 0.6.8 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-25897",
            "https://github.com/eclipse/milo/issues/1030",
            "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5",
            "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191",
            "https://github.com/eclipse/milo/pull/1031"
          ],
          "uuid": "570b991e-f8c5-4379-85c1-25fc7615c50b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:milo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.6.8",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2022-25897"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/eclipse/milo/issues/1030"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"
            },
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/eclipse/milo/pull/1031"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-09-13T20:17Z",
      "publishedDate": "2022-09-08T05:15Z"
    }
  }
}

ghsa-fph9-f5r6-vhqf

Vulnerability from github

Published

2022-09-15 03:35

Modified

2022-09-15 03:35

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)

Details

Impact

Denial of Service

Details

OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:

What is the maximum allowed number of concurrent sessions
For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription

Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.

The close session request closes a connected session. A deleteSubscription flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription flag is False the server will store the subscriptions thus filling up the memory in an unlimited manner.

Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.

To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.

Clarity PoC does: ``` while True: Open a valid OPC UA session Create multiple subscriptions Add monitored items to each subscription Close the session with the DeleteSubscriptions flag = False ````

Acknowledgement

We would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 (Claroty Research) for this report.

For more information

If you have any questions or comments about this advisory: * Open an issue in Eclipse Milo repository * Email us at milo-dev

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.milo:sdk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:35:46Z",
    "nvd_published_at": "2022-09-08T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nDenial of Service\n\n### Details\n\nOPC UA specification describes a concept named _Subscriptions_. _Subscriptions_ monitor a set of _Monitored Items_ for _Notifications_ and return them to the _Client_ in response to _Publish_ requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:\n\n* What is the maximum allowed number of concurrent sessions\n* For each active sessions - what is the maximum allowed number of concurrent subscription per a single session\n* For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription\n\nClarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.\n\nThe close session request closes a connected session. A `deleteSubscription` flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the `deleteSubscription` flag is `False` the server will store the subscriptions thus filling up the memory in an unlimited manner.\n\nSending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.\n\nTo trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.\n\nClarity PoC does:\n```\nwhile True:\n    Open a valid OPC UA session\n    Create multiple subscriptions\n    Add monitored items to each subscription\n    Close the session with the DeleteSubscriptions flag = False\n````\n\n### Acknowledgement\n\nWe would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 ([Claroty Research](https://claroty.com/)) for this report.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Eclipse Milo repository](https://github.com/eclipse/milo/issues)\n* Email us at [milo-dev](https://accounts.eclipse.org/mailing-list/milo-dev)\n",
  "id": "GHSA-fph9-f5r6-vhqf",
  "modified": "2022-09-15T03:35:46Z",
  "published": "2022-09-15T03:35:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/security/advisories/GHSA-fph9-f5r6-vhqf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/issues/1030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/pull/1031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/milo"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)"
}

cve-2022-25897

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2022-25897

Vulnerability from cvelistv5

rhsa-2022_8902

Vulnerability from csaf_redhat

gsd-2022-25897

Vulnerability from gsd

ghsa-fph9-f5r6-vhqf

Vulnerability from github

Impact

Details

Acknowledgement

For more information

Tags

Sightings

Nomenclature