CVE-2022-22971 Spring versions before 5.3.20 and 5.2.22 were vulnerable to a DoS attack with STOMP over WebSocket.

In such a scenario, the user connects to the authenticated server and sends a message to the STOMP over WebSocket endpoint (such as “hello” or “world”). The attacker also connects to the server and sends a message to the STOMP over WebSocket endpoint (such as “hello” or “world”). Since the messages are being sent from two different IPs, the server will fail to process one of the messages. This results in high CPU load due to message processing for one of the messages. As such, it could be exploited to cause high load on the application. This can be mitigated by using TLS encryption for the STOMP over WebSocket endpoint. A workaround for this vulnerability is to disable STOMP over WebSocket endpoint by setting “enable.send.web.stomp.enabled” to false in application.yml .

STOMP over WebSocket - CVE-2023-22870

STOMP over WebSocket is a protocol that enables clients and servers to communicate through the use of messages over HTTP. It has been introduced in JSR-356.
An attacker can send multiple messages at once, resulting in high CPU load on the server. In such a scenario, this vulnerability can be mitigated by using TLS encryption for STOMP over WebSocket endpoint when connecting to authenticated server. A workaround for this vulnerability is to disable STOMP over WebSocket endpoint by setting “enable.send.web.stomp.enabled” to false in application.yml .

STOMP over Websockets

STOMP over WebSocket is a protocol that enables STOMP over HTTP and Websocket connections.
While this vulnerability can be mitigated by disabling STOMP over WebSocket endpoint, it can also be mitigated by using TLS encryption for the STOMP over WebSocket endpoint.

Timeline

Published on: 05/12/2022 20:15:00 UTC
Last modified on: 07/25/2022 18:20:00 UTC

References