With the release of the fix for CVE-2022-22968, improvements were made to the DataBinder in order to make its disallowedFields patterns case-insensitive. However, there's an underlying issue related to the String.toLowerCase() method that could create potential security risks, as it may result in fields not being protected as intended. In this long read post, we will investigate the impacts of Locale dependent exceptions associated with String.toLowerCase() and the implications of this vulnerability, CVE-2024-38820.

To understand the problem, let's have a look at the code snippet for DataBinder

private void applyDisallowedFields(ServletRequestDataBinder dataBinder) {
    if (this.disallowedFields != null) {
        for (String fieldName : this.disallowedFields) {
            dataBinder.setDisallowedField(fieldName.toLowerCase());
        }
    }
}

Here, String.toLowerCase() is applied to every fieldName in disallowedFields list. But this method can behave differently depending on the Locale settings in the system.

Original reference link for CVE-2022-22968: https://nvd.nist.gov/vuln/detail/CVE-2022-22968

Exploit Details

The issue arises when the toLowerCase() method is applied to non-ASCII characters/symbols. Depending on the default Locale in the system, it might not convert the characters correctly, which would result in fields with non-ASCII characters not being protected as expected.

For example, let's consider an application meant to be run in the Turkish locale. In the Turkish locale, the lower case of the character 'I' is 'ı', which is not an ASCII character. If a field is specified using this character as the name, it might not be disallowed as intended, leading to a potential security risk.

The primary reason for this vulnerability is the usage of String.toLowerCase() without specifying a Locale, which is not a consistent method for converting strings to lowercase. This issue could have been prevented by using String.toLowerCase(Locale.ENGLISH) instead, which would always use the English Locale, regardless of the system's Locale settings.

Mitigation

As a temporary mitigation, developers can subclass DataBinder and override the applyDisallowedFields method with a corrected implementation, for example:

@Override
protected void applyDisallowedFields(ServletRequestDataBinder dataBinder) {
    if (disallowedFields != null) {
        for (String fieldName : disallowedFields) {
            dataBinder.setDisallowedField(fieldName.toLowerCase(Locale.ENGLISH));
        }
    }
}

This solution will ensure that the disallowedFields() methods work consistently across different systems, regardless of their Locale settings. However, applying this fix system-wide would require changes at the framework level.

Conclusion

CVE-2024-38820 is a security vulnerability that affects DataBinder's disallowedFields patterns due to Locale-dependent and inconsistent behavior of String.toLowerCase() method. This issue can potentially result in fields not being protected as intended, exposing applications to harmful security risks. It is crucial for developers to be aware of the implications and use a more consistent method for converging strings to lowercase or override the affected method in DataBinder to work correctly across different systems.

Timeline

Published on: 10/18/2024 06:15:03 UTC
Last modified on: 11/05/2024 21:35:09 UTC