CVE-2021-22095: Spring-AMQP Remote Denial of Service - Out of Memory Error with a Large Message Body
Spring by VMware
The Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size.
This can cause an OOM Error with a large message body.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- 2.2.0 - 2.2.19
- 2.3.0 - 2.3.11
Users of affected versions should apply the following mitigation. 2.3.x users should upgrade to 2.3.12. 2.2.x users should upgrade to 2.2.20. No other steps are necessary. The toString() method now only converts the body if its length is 50 or fewer bytes. Releases that have fixed this issue include:
This issue was identified and responsibly reported by Vasily Kochnev.
2021-11-29: Initial vulnerability report published.