Vulnerabilities > CVE-2021-22097 - Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

vmware

CWE-502

NVD

Published: 2021-10-28

Updated: 2021-11-01

Summary

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Spring Advanced Message Queuing Protocol 2.2.0 Vmware Spring Advanced Message Queuing Protocol 2.2.1 Vmware Spring Advanced Message Queuing Protocol 2.2.2 Vmware Spring Advanced Message Queuing Protocol 2.2.3 Vmware Spring Advanced Message Queuing Protocol 2.2.4 Vmware Spring Advanced Message Queuing Protocol 2.2.5 Vmware Spring Advanced Message Queuing Protocol 2.2.6 Vmware Spring Advanced Message Queuing Protocol 2.2.7 Vmware Spring Advanced Message Queuing Protocol *	14

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://tanzu.vmware.com/security/cve-2021-22097