Recently, a Denial of Service vulnerability (CVE-2023-20861) was discovered in the widely-used Java web application framework Spring. The vulnerability allows specially crafted SpEL expressions to cause a DoS condition. In this article, I will provide four steps that will let you remediate CVE-2023-20861 and prevent Expression DoS going forward.

Step 1: Update Spring to the Latest Version

The most important step to remediating CVE-2023-20861 is to update it to the latest version, as this version contains a fix for the vulnerability. 6.0.x users should upgrade to 6.0.7+, 5.3.x users should upgrade to 5.3.26+, and 5.2.x users should upgrade to 5.2.23.RELEASE+. All users of older, unsupported Spring versions should immediately update to 6.0.7+ or 5.3.26+.

Step 2: Limit the Use of SpEL Expressions and Sanitize User Input

A very efficient way to prevent Expression DoS in Spring is to limit the use of SpEL expressions and sanitize any user input before evaluating it. SpEL expressions can be powerful tools, but they can also be dangerous if not used carefully. It is important that you validate user input and ensure that it does not contain any malicious code before evaluating it in a SpEL expression.

Step 3: Follow the Principle of Least Privilege

Furthermore, I highly recommend following the principle of least privilege, where users are only given the minimum access necessary to perform their tasks. This can help reduce the impact of any potential security vulnerabilities, as attackers would have limited access to sensitive information or functionality.

Step 4: Fuzz Your Code Continuously

The vulnerability itself was discovered as part of an ongoing collaboration between Google’s OSS-Fuzz and Code Intelligence with the goal of continuously fuzzing open-source software. It is recommended to continuously fuzz open-source and closed-source projects to guarantee that similar vulnerabilities can be discovered early in the development to prevent further damage in the wild.

Interesting fact: In the same Spring module fuzzing discovered, a second, new DoS condition (CVE-2023-20863) shortly after the fix was implemented.

Conclusion

In addition to the above steps, it is also important to stay informed about any security vulnerabilities that may affect Spring or any other software. Keep an eye on security advisories and patches, and make sure to apply them as soon as possible to keep your applications secure. Additionally, it is recommended to integrate SCA tools into the development process to check for dependencies with known vulnerabilities and dynamic white-box testing to identify unknown vulnerabilities.