GHSL-2022-022: Regular Expression Denial of Service (ReDoS) in Tapestry - CVE-2022-31781

Coordinated Disclosure Timeline

• 2022-04-07: Report sent to security@apache.org
• 2022-04-18: A commit with a fix was made to the master branch
• 2022-05-30: Bypass to the fix was sent to security@apache.org
• 2022-06-20: 5.8.2 with a fix was released
• 2022-07-12: CVE-2022-31781 was assigned

Summary

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.

Product

Apache Tapestry

Tested Version

5.8.1

Details

Issue: Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)

Apache Tapestry uses the following regular expression to match Content Type headers in the constructor of the ContentType class:

private static final Pattern PATTERN = Pattern.compile("^(.+)/([^;]+)(;(.+=[^;]+))*$");
// --snip--
public ContentType(String contentType)
{
    Matcher matcher = PATTERN.matcher(contentType);

    if (!matcher.matches())
    // --snip--
}

Note the nested repetition at (;(.+=[^;]+))*. The regex engine would need to exponentially backtrack [1] in order to distinguish which part of the expression (either the + after the dot and the [^=;] subexpression, or the * after the parentheses) matches the input in case there is not a full match.

Although the ContentType class is not used to handle user-provided Content Type headers in the framework itself, an application that uses Apache Tapestry could do so, becoming vulnerable to attackers providing malicious headers that may cause the denial of service.

As an example, the following snippet shows how to reproduce the vulnerability using the constructor of the ContentType class:

public class RedosTapestryPoc {

    public static void main(String[] args) {
        new ContentType("a/a;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;");
    }
}

Note that JDK 9 introduced important mitigations for this problem, so in order to reproduce the issue with the above example, the application using Apache Tapestry must be run with JDK =< 8.

Impact

This issue may lead to a denial of service of the application using Apache Tapestry by resource consumption.

Resources

[1] https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS [2] https://github.com/google/re2j

CVE

• CVE-2022-31781

Credit

This issue was discovered and reported by the CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-022 in any communication regarding this issue.