Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2024-22271: Spring Cloud Function Web DOS Vulnerability
Description
Description In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions.
Specifically, an application is vulnerable when all of the following are true:
User is using Spring Cloud Function Web module
Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8
References https://spring.io/security/cve-2022-22979 https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/ History 2020-01-16: Initial vulnerability report published.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.1.0 | 4.1.2 | OSS |
| 4.0.0 | 4.0.8 | Commercial |
Users of affected versions should apply the following mitigation. 4.1.x users should upgrade to 4.1.2. 4.0.x users should upgrade to 4.0.8. No other steps are necessary.
Credit
This issue was identified and responsibly reported by devme4f from VNPT-VCI
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all