{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/micronaut/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["micronaut-context"],"_cs_severities":["medium"],"_cs_tags":["dos","memory-exhaustion","micronaut"],"_cs_type":"advisory","_cs_vendors":["Micronaut"],"content_html":"\u003cp\u003eMicronaut\u0026rsquo;s \u003ccode\u003eTimeConverterRegistrar\u003c/code\u003e component contains a vulnerability that can lead to denial-of-service (DoS). The \u003ccode\u003eformattersCache\u003c/code\u003e within \u003ccode\u003eTimeConverterRegistrar\u003c/code\u003e is an unbounded \u003ccode\u003eConcurrentHashMap\u003c/code\u003e that caches \u003ccode\u003eDateTimeFormatter\u003c/code\u003e instances. The cache key is derived from the \u003ccode\u003e@Format\u003c/code\u003e annotation pattern concatenated with the locale obtained from the HTTP \u003ccode\u003eAccept-Language\u003c/code\u003e header. By sending HTTP requests with arbitrary BCP 47 private-use extensions in the \u003ccode\u003eAccept-Language\u003c/code\u003e header (e.g., \u003ccode\u003een-x-a001\u003c/code\u003e, \u003ccode\u003een-x-a002\u003c/code\u003e), an unauthenticated attacker can generate a large number of unique cache keys. This leads to uncontrolled memory consumption, eventually exhausting the available heap memory and causing the JVM to crash with an \u003ccode\u003eOutOfMemoryError\u003c/code\u003e. The vulnerability affects Micronaut applications that expose endpoints with \u003ccode\u003e@Format\u003c/code\u003e-annotated temporal parameters and exists in \u003ccode\u003emicronaut-context\u003c/code\u003e versions 4.3.0 and above, up to but not including 4.10.22. This is similar to GHSA-2hcp-gjrf-7fhc but affects a different cache.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an HTTP request to a Micronaut server.\u003c/li\u003e\n\u003cli\u003eThe request includes a crafted \u003ccode\u003eAccept-Language\u003c/code\u003e header with a novel BCP 47 private-use extension (e.g., \u003ccode\u003een-x-attacker\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMicronaut\u0026rsquo;s \u003ccode\u003eHttpHeaders.findAcceptLanguage()\u003c/code\u003e parses the \u003ccode\u003eAccept-Language\u003c/code\u003e header and extracts the locale using \u003ccode\u003eLocale.forLanguageTag()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe extracted locale is passed to \u003ccode\u003eAbstractRouteMatch.newContext()\u003c/code\u003e and stored in the \u003ccode\u003eConversionContext\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is routed to an endpoint with a \u003ccode\u003e@Format\u003c/code\u003e-annotated temporal parameter.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eTimeConverterRegistrar.getFormatter(pattern, context)\u003c/code\u003e is called to retrieve a \u003ccode\u003eDateTimeFormatter\u003c/code\u003e for the given pattern and locale.\u003c/li\u003e\n\u003cli\u003eSince the locale is novel, a new \u003ccode\u003eDateTimeFormatter\u003c/code\u003e is created and added to the unbounded \u003ccode\u003eformattersCache\u003c/code\u003e with the concatenated \u003ccode\u003epattern + locale\u003c/code\u003e as the key.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process with many unique \u003ccode\u003eAccept-Language\u003c/code\u003e values, causing the \u003ccode\u003eformattersCache\u003c/code\u003e to grow without bounds, leading to an \u003ccode\u003eOutOfMemoryError\u003c/code\u003e and crashing the JVM, resulting in denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to crash any Micronaut server that exposes an endpoint with a \u003ccode\u003e@Format\u003c/code\u003e-annotated temporal type parameter. The memory consumption grows linearly with the number of unique \u003ccode\u003eAccept-Language\u003c/code\u003e values sent by the attacker. Due to the large number of possible BCP 47 private-use extensions, attackers can easily exhaust server memory. This can lead to denial of service, disrupting legitimate users. The \u003ccode\u003eTimeConverterRegistrar\u003c/code\u003e is active in all Micronaut HTTP server applications by default.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the fix pattern used for GHSA-2hcp-gjrf-7fhc by replacing the unbounded \u003ccode\u003eConcurrentHashMap\u003c/code\u003e with a bounded \u003ccode\u003eConcurrentLinkedHashMap\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emicronaut-context\u003c/code\u003e version 4.10.22 or later to receive the patched version.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for a high volume of requests with unique \u003ccode\u003eAccept-Language\u003c/code\u003e headers using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests with unique \u003ccode\u003eAccept-Language\u003c/code\u003e headers to mitigate the risk of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-micronaut-dos/","summary":"Micronaut's `TimeConverterRegistrar` has an unbounded `formattersCache` that allows memory exhaustion via a crafted `Accept-Language` header, where an unauthenticated attacker can crash the JVM by sending requests with novel locale tags to `@Format`-annotated endpoints, growing the cache until heap memory is exhausted, affecting Micronaut applications with `micronaut-context` versions 4.3.0 and above, up to but not including 4.10.22.","title":"Micronaut TimeConverterRegistrar Memory Exhaustion via Accept-Language Header","url":"https://feed.craftedsignal.io/briefs/2024-11-micronaut-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Micronaut","version":"https://jsonfeed.org/version/1.1"}