Integer overflow in Spring Security

#VU63342 Integer overflow in Spring Security

Published: 2022-05-17

Vulnerability identifier: #VU63342

Vulnerability risk: Low

CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-22976

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Spring Security
Server applications / Frameworks for developing and running applications

Vendor: VMware, Inc

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in BCrypt class with the maximum work factor (31) for BCryptPasswordEncoder. The encoder does not perform any salt rounds, which weakens encryption capabilities of the software.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Spring Security: 5.0.0 - 5.6.3

External links
http://tanzu.vmware.com/security/cve-2022-22976

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Storage Copy Data Management

Multiple vulnerabilities in IBM Storage Protect Plus Server

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

IBM Process Mining update for Spring Security

OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins

Multiple vulnerabilities in IBM InfoSphere Information Server

Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration

Multiple vulnerabiities in Cloud Foundry UAA

Multiple vulnerabilities in Cloud Foundry uaa-release

Multiple vulnerabilities in VMware Spring Security