Response to CVE-2022-22970, CVE-2022-22978

Posted by
Gábor Pécsy
on 03 06 2022

Summary of Chemaxon Actions:

Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-22970(Spring Framework DoS via Data Binding to MultipartFile or Servlet Part), CVE-2022-22978(Authorization Bypass in RegexRequestMatcher) and potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.

What do these vulnerabilities affect?

CVE-2022-22970:

A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

CVE-2022-22978

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with "." in the regular expression are possibly vulnerable to an authorization bypass.

Next steps

Product development is working on fixing the vulnerabilities of the affected products, we handle this at the highest priority. We will continue to provide updates as necessary in this document.

Resources:

https://nvd.nist.gov/vuln/detail/CVE-2022-22970

https://nvd.nist.gov/vuln/detail/CVE-2022-22978

https://tanzu.vmware.com/security/cve-2022-22970

https://tanzu.vmware.com/security/cve-2022-22978