https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Bug ID: 2087274 Summary: CVE-2022-22971 springframework: DoS with STOMP over WebSocket Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, anstephe@redhat.com, chazlett@redhat.com, dchen@redhat.com, drieden@redhat.com, emingora@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, ibek@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, jolee@redhat.com, jrokos@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, mnovotny@redhat.com, pdelbell@redhat.com, pjindal@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, tzimanyi@redhat.com Target Milestone: --- Classification: Other
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
Reference: https://tanzu.vmware.com/security/cve-2022-22971
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2087275
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2087275 [Bug 2087275] CVE-2022-22971 springframework: DoS with STOMP over WebSocket [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created springframework tracking bugs for this issue:
Affects: fedora-all [bug 2087275]
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2087215
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |springframework 5.3.20, | |springframework 5.2.22
--- Doc Text *updated* --- A flaw was found in Spring Framework Applications that uses STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user.
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Comment #3 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.11
Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5532
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Comment #4 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2022-22971
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2022-07-07 21:10:04
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
Ted Jongseok Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ataylor@redhat.com, | |mokumar@redhat.com, | |rkieley@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
AMQ Broker 7.11.0
Via RHSA-2023:1661 https://access.redhat.com/errata/RHSA-2023:1661
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2023:1661
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
AMQ Broker 7.10.3
Via RHSA-2023:3185 https://access.redhat.com/errata/RHSA-2023:3185
https://bugzilla.redhat.com/show_bug.cgi?id=2087274
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2023:3185
https://bugzilla.redhat.com/show_bug.cgi?id=2087274 Bug 2087274 depends on bug 2087275, which changed state.
Bug 2087275 Summary: CVE-2022-22971 springframework: DoS with STOMP over WebSocket [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2087275
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org