CVE-2022-1587 Overview
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. The vulnerability allows remote attackers to potentially read sensitive information from memory or cause a denial of service condition through crafted input that triggers the out-of-bounds memory access.
Critical Impact
This vulnerability can lead to information disclosure through memory exposure and denial of service, affecting applications that rely on PCRE2 for regular expression processing with JIT compilation enabled.
Affected Products
- PCRE2 (Perl Compatible Regular Expressions 2)
- Red Hat Enterprise Linux 9.0
- Fedora 35 and 36
- NetApp Active IQ Unified Manager (VMware vSphere)
- NetApp HCI Management Node
- NetApp ONTAP Select Deploy Administration Utility
- NetApp SolidFire
- NetApp H300S, H500S, H700S, H410S, H410C (firmware and hardware)
Discovery Timeline
- May 16, 2022 - CVE-2022-1587 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-1587
Vulnerability Analysis
The vulnerability exists within the Just-In-Time (JIT) compilation component of the PCRE2 library. When processing complex regular expressions that involve recursive patterns, the get_recurse_data_length() function fails to properly validate memory boundaries during data transfer operations. This results in an out-of-bounds read condition where the function may access memory beyond the allocated buffer.
The flaw is triggered specifically when duplicate data transfers occur during the JIT compilation of recursive regular expressions. The JIT compiler, designed to optimize pattern matching performance, incorrectly calculates the length of recursive data structures, leading to improper memory access patterns.
Root Cause
The root cause stems from improper bounds checking in the get_recurse_data_length() function within pcre2_jit_compile.c. During recursion handling, the function performs data transfers that may be duplicated under certain conditions. The code failed to account for these duplicate transfers when calculating buffer boundaries, resulting in read operations that exceed allocated memory regions. This is classified as CWE-125 (Out-of-bounds Read).
Attack Vector
The vulnerability can be exploited remotely through network-based attack vectors. An attacker can craft malicious regular expressions that, when processed by an application using the vulnerable PCRE2 library with JIT compilation enabled, trigger the out-of-bounds read condition. This could be achieved by:
- Submitting crafted input to web applications that use PCRE2 for pattern matching
- Targeting services that process user-supplied regular expressions
- Exploiting applications that compile and execute regular expressions from untrusted sources
The attack requires no authentication or user interaction, making it particularly dangerous for internet-facing services.
23. Fixed a unicode properrty matching issue in JIT. The character was not
fully read in caseless matching.
+24. Fixed an issue affecting recursions in JIT caused by duplicated data
+transfers.
+
Version 10.39 29-October-2021
-----------------------------
Source: GitHub PCRE2 Commit
Detection Methods for CVE-2022-1587
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using PCRE2 library
- Memory access violations in processes performing regular expression matching
- Abnormal memory read patterns detected by runtime memory safety tools
- Application logs showing errors related to JIT-compiled regex recursion handling
Detection Strategies
- Monitor for memory access violations or SIGSEGV signals in applications linked with PCRE2
- Implement application-level logging to detect failed regex compilation attempts
- Use address sanitizer (ASan) or memory debugging tools to identify out-of-bounds read attempts
- Deploy intrusion detection rules to identify crafted regex patterns targeting recursive processing
Monitoring Recommendations
- Enable verbose logging for applications that process user-supplied regular expressions
- Implement rate limiting on regex processing endpoints to mitigate exploitation attempts
- Monitor system logs for repeated crashes in PCRE2-dependent applications
- Deploy memory monitoring solutions to detect abnormal memory access patterns
How to Mitigate CVE-2022-1587
Immediate Actions Required
- Update PCRE2 library to the latest patched version immediately
- Review and update all applications that bundle or statically link PCRE2
- Apply vendor-specific patches for Red Hat Enterprise Linux, Fedora, and NetApp products
- Disable JIT compilation temporarily if immediate patching is not possible
Patch Information
The PCRE2 project has released a fix through commit 03654e751e7f0700693526b67dfcadda6b42c9d0. This patch addresses the issue affecting recursions in JIT caused by duplicated data transfers. Administrators should apply the following vendor-specific patches:
- PCRE2: Apply the security commit from the PCRE2 GitHub repository
- Red Hat: Refer to the Red Hat Bug Report for RHEL-specific updates
- Fedora: Install updates via the Fedora Package Announcements
- NetApp: Review the NetApp Security Advisory for affected products
- Debian: Apply updates referenced in the Debian LTS Announcement
Workarounds
- Disable JIT compilation in PCRE2 by not setting the PCRE2_JIT_COMPLETE flag during compilation
- Implement input validation to restrict complexity of user-supplied regular expressions
- Use sandboxing or containerization to limit the impact of potential exploitation
- Restrict network access to services that process untrusted regular expressions
# Configuration example - Disable JIT compilation in PCRE2
# When compiling patterns, avoid using JIT by omitting the jit_compile call
# Example: Instead of calling pcre2_jit_compile(), use interpreted matching
# For applications with configuration options, disable JIT:
# PHP: pcre.jit=0 in php.ini
# Apache: Ensure mod_rewrite doesn't use JIT if configurable
# Verify PCRE2 version after patching
pcre2grep --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
