===================================================================== CERT-Renater Note d'Information No. 2022/VULN206 _____________________________________________________________________ DATE : 16/06/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Cloud Function versions prior to 3.2.6. ===================================================================== https://tanzu.vmware.com/security/cve-2022-22979 _____________________________________________________________________ CVE-2022-22979: Spring Cloud Function Dos Vulnerability Severity High Vendor Spring by VMware Description In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog component of the framework. At the time of writing of this CVE such interaction is only possible via spring-cloud-function-web module. Affected VMware Products and Versions Severity is high unless otherwise noted. Spring Cloud Function 3.2.5 Older, unsupported versions are also affected Mitigation Users of affected versions should upgrade to 3.2.6. No other steps are necessary. Releases that have fixed this issue include: Spring Cloud Function 3.2.6 Credit This vulnerability was initially discovered and responsibly reported by Yaniv.Nizry@checkmarx.com. References https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H https://cwe.mitre.org/data/definitions/770.html https://cwe.mitre.org/data/definitions/497.html History 2022-06-15: Initial vulnerability report published. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================