CVE-2022-3252

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper detection of complete HTTP body decompression SwiftNIO Extras provides a pair of helpers for transparently decompressing received HTTP request or response bodies. These two objects (HTTPRequestDecompressor and HTTPResponseDecompressor) both failed to detect when the decompressed body was considered complete. If trailing junk data was appended to the HTTP message body, the code would repeatedly attempt to decompress this data and fail. This would lead to an infinite loop making no forward progress, leading to livelock of the system and denial-of-service. This issue can be triggered by any attacker capable of sending a compressed HTTP message. Most commonly this is HTTP servers, as compressed HTTP messages cannot be negotiated for HTTP requests, but it is possible that users have configured decompression for HTTP requests as well. The attack is low effort, and likely to be reached without requiring any privilege or system access. The impact on availability is high: the process immediately becomes unavailable but does not immediately crash, meaning that it is possible for the process to remain in this state until an administrator intervenes or an automated circuit breaker fires. If left unchecked this issue will very slowly exhaust memory resources due to repeated buffer allocation, but the buffers are not written to and so it is possible that the processes will not terminate for quite some time. This risk can be mitigated by removing transparent HTTP message decompression. The issue is fixed by correctly detecting the termination of the compressed body as reported by zlib and refusing to decompress further data. The issue was found by Vojtech Rylko (https://github.com/vojtarylko) and reported publicly on GitHub.

Una Detección inapropiada de la descompresión completa del cuerpo HTTP SwiftNIO Extras proporciona un par de ayudantes para descomprimir de forma transparente los cuerpos de petición o respuesta HTTP recibidos. Estos dos objetos (HTTPRequestDecompressor y HTTPResponseDecompressor) fallaban al detectar cuando el cuerpo descomprimido era considerado completo. Si eran añadidos datos basura al cuerpo del mensaje HTTP, el código intentaba repetidamente descomprimir estos datos y fallaba. Esto conllevaba a un bucle infinito que no avanzaba, conllevando a un bloqueo del sistema y una denegación de servicio. Este problema puede ser provocado por cualquier atacante capaz de enviar un mensaje HTTP comprimido. Lo más común es que trate de servidores HTTP, ya que los mensajes HTTP comprimidos no pueden ser negociados para peticiones HTTP, pero es posible que los usuarios hayan configurado la descompresión para peticiones HTTP también. El ataque es de bajo esfuerzo, y es probable que sea alcanzado sin requerir ningún privilegio o acceso al sistema. El impacto en la disponibilidad es alto: el proceso es convertido inmediatamente en no disponible pero no es bloqueado inmediatamente, lo que significa que es posible que el proceso permanezca en este estado hasta que un administrador intervenga o sea disparado un interruptor automático. Si no es controlado, este problema agotará muy lentamente los recursos de memoria debido a una asignación repetida de búferes, pero éstos no son escritos, por lo que es posible que los procesos no terminen durante bastante tiempo. Este riesgo puede mitigarse al eliminar la descompresión transparente de mensajes HTTP. El problema es corregido al detectar correctamente la terminación del cuerpo comprimido según lo informado por zlib y rechazando la descompresión de más datos. El problema fue encontrado por Vojtech Rylko (https://github.com/vojtarylko) y reportado públicamente en GitHub

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-20 CVE Reserved
2022-09-21 CVE Published
2024-04-13 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-606: Unchecked Input for Loop Condition
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (1)

URL	Tag	Source
https://github.com/apple/swift-nio-extras/security/advisories/GHSA-773g-x274-8qmf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Swift-nio-extras Search vendor "Apple" for product "Swift-nio-extras"				< 1.9.2 Search vendor "Apple" for product "Swift-nio-extras" and version " < 1.9.2"		-		Affected
Apple Search vendor "Apple"		Swift-nio-extras Search vendor "Apple" for product "Swift-nio-extras"				>= 1.10.0 < 1.10.3 Search vendor "Apple" for product "Swift-nio-extras" and version " >= 1.10.0 < 1.10.3"		-		Affected
Apple Search vendor "Apple"		Swift-nio-extras Search vendor "Apple" for product "Swift-nio-extras"				>= 1.11.0 < 1.14.0 Search vendor "Apple" for product "Swift-nio-extras" and version " >= 1.11.0 < 1.14.0"		-		Affected