Details of VAR-202209-1643

ID

VAR-202209-1643

CVE

CVE-2022-3252

TITLE

apple's SwiftNIO Extras Infinite loop vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018170

DESCRIPTION

Improper detection of complete HTTP body decompression SwiftNIO Extras provides a pair of helpers for transparently decompressing received HTTP request or response bodies. These two objects (HTTPRequestDecompressor and HTTPResponseDecompressor) both failed to detect when the decompressed body was considered complete. If trailing junk data was appended to the HTTP message body, the code would repeatedly attempt to decompress this data and fail. This would lead to an infinite loop making no forward progress, leading to livelock of the system and denial-of-service. This issue can be triggered by any attacker capable of sending a compressed HTTP message. Most commonly this is HTTP servers, as compressed HTTP messages cannot be negotiated for HTTP requests, but it is possible that users have configured decompression for HTTP requests as well. The attack is low effort, and likely to be reached without requiring any privilege or system access. The impact on availability is high: the process immediately becomes unavailable but does not immediately crash, meaning that it is possible for the process to remain in this state until an administrator intervenes or an automated circuit breaker fires. If left unchecked this issue will very slowly exhaust memory resources due to repeated buffer allocation, but the buffers are not written to and so it is possible that the processes will not terminate for quite some time. This risk can be mitigated by removing transparent HTTP message decompression. The issue is fixed by correctly detecting the termination of the compressed body as reported by zlib and refusing to decompress further data. The issue was found by Vojtech Rylko (https://github.com/vojtarylko) and reported publicly on GitHub. apple's SwiftNIO Extras Exists in an infinite loop vulnerability.Service operation interruption (DoS) It may be in a state. The impact on availability is high: the..

Trust: 1.71

sources: NVD: CVE-2022-3252 // JVNDB: JVNDB-2022-018170 // VULHUB: VHN-430861

AFFECTED PRODUCTS

vendor:	apple	model:	swift-nio-extras	scope:	gte	version:	1.10.0	Trust: 1.0
vendor:	apple	model:	swift-nio-extras	scope:	lt	version:	1.14.0	Trust: 1.0
vendor:	apple	model:	swift-nio-extras	scope:	lt	version:	1.10.3	Trust: 1.0
vendor:	apple	model:	swift-nio-extras	scope:	gte	version:	1.11.0	Trust: 1.0
vendor:	apple	model:	swift-nio-extras	scope:	lt	version:	1.9.2	Trust: 1.0
vendor:	アップル	model:	swiftnio extras	scope:	eq	version:	1.10.0 that's all 1.10.3	Trust: 0.8
vendor:	アップル	model:	swiftnio extras	scope:	eq	version:	1.9.2	Trust: 0.8
vendor:	アップル	model:	swiftnio extras	scope:	eq	version:	1.11.0 that's all 1.14.0	Trust: 0.8
vendor:	アップル	model:	swiftnio extras	scope:	-	version:	-	Trust: 0.8
vendor:	アップル	model:	swiftnio extras	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-018170 // NVD: CVE-2022-3252

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-3252
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-3252
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202209-1721
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-3252
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-3252
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-018170 // CNNVD: CNNVD-202209-1721 // NVD: CVE-2022-3252

PROBLEMTYPE DATA

problemtype:	CWE-835	Trust: 1.1
problemtype:	CWE-606	Trust: 1.0
problemtype:	infinite loop (CWE-835) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-430861 // JVNDB: JVNDB-2022-018170 // NVD: CVE-2022-3252

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202209-1721

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202209-1721

PATCH

title:

Apple SwiftNIO Extras Security vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=209123

Trust: 0.6

sources: CNNVD: CNNVD-202209-1721

EXTERNAL IDS

db:	NVD	id:	CVE-2022-3252	Trust: 3.3
db:	JVNDB	id:	JVNDB-2022-018170	Trust: 0.8
db:	CNNVD	id:	CNNVD-202209-1721	Trust: 0.6
db:	VULHUB	id:	VHN-430861	Trust: 0.1

sources: VULHUB: VHN-430861 // JVNDB: JVNDB-2022-018170 // CNNVD: CNNVD-202209-1721 // NVD: CVE-2022-3252

REFERENCES

url:	https://github.com/apple/swift-nio-extras/security/advisories/ghsa-773g-x274-8qmf	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-3252	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-3252/	Trust: 0.6

sources: VULHUB: VHN-430861 // JVNDB: JVNDB-2022-018170 // CNNVD: CNNVD-202209-1721 // NVD: CVE-2022-3252

SOURCES

db:	VULHUB	id:	VHN-430861
db:	JVNDB	id:	JVNDB-2022-018170
db:	CNNVD	id:	CNNVD-202209-1721
db:	NVD	id:	CVE-2022-3252

LAST UPDATE DATE

2024-08-14T14:10:33.420000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-430861	date:	2022-09-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-018170	date:	2023-10-19T01:16:00
db:	CNNVD	id:	CNNVD-202209-1721	date:	2022-09-27T00:00:00
db:	NVD	id:	CVE-2022-3252	date:	2022-09-26T22:11:54.813

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-430861	date:	2022-09-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-018170	date:	2023-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202209-1721	date:	2022-09-21T00:00:00
db:	NVD	id:	CVE-2022-3252	date:	2022-09-21T19:15:13.023