CVE-2022-22969 Overview
Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session. This vulnerability exposes OAuth 2.0 Client applications only.
Critical Impact
Authenticated attackers can exhaust system resources by initiating multiple OAuth 2.0 Authorization Code Grant requests within a single session, causing service disruption to legitimate users.
Affected Products
- Pivotal Spring Security OAuth versions 2.5.x prior to 2.5.2
- Pivotal Spring Security OAuth older unsupported versions
- Oracle Communications Design Studio 7.4.2
Discovery Timeline
- 2022-04-21 - CVE-2022-22969 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-22969
Vulnerability Analysis
This vulnerability targets the OAuth 2.0 Authorization Code Grant flow within Spring Security OAuth Client applications. The flaw allows an authenticated attacker to initiate numerous Authorization Requests within a single HTTP session. Each request consumes server-side resources (memory, session state, pending authorization objects) that are not properly bounded or rate-limited. When an attacker sends a high volume of these requests, the cumulative resource consumption can exhaust available system resources, leading to degraded performance or complete service unavailability for legitimate users.
The vulnerability specifically affects OAuth 2.0 Client applications—systems that redirect users to authorization servers for authentication. Resource servers and authorization servers are not directly impacted by this issue.
Root Cause
The root cause lies in improper resource management during the handling of Authorization Request initiations. Spring Security OAuth fails to implement adequate rate limiting or resource constraints on the number of pending authorization requests that can be maintained per session. This allows an attacker to accumulate an unbounded number of authorization state objects, leading to resource exhaustion.
Attack Vector
The attack is network-based and requires the attacker to have low-level authenticated access to the target application. The attacker exploits the Authorization Code Grant initiation endpoint by:
- Authenticating to the vulnerable OAuth 2.0 Client application
- Initiating multiple Authorization Requests without completing the OAuth flow
- Accumulating pending authorization state objects within a single session
- Repeating this process until system resources are exhausted
Since the attack can be performed with a single authenticated session and requires no user interaction from other parties, it can be executed with minimal complexity. The impact is limited to availability—no confidentiality or integrity compromise occurs.
Detection Methods for CVE-2022-22969
Indicators of Compromise
- Abnormally high number of Authorization Request initiations from a single session or user account
- Increased memory consumption on application servers hosting OAuth 2.0 Client applications
- Elevated session state storage utilization without corresponding authorization completions
- Multiple incomplete OAuth authorization flows from the same source IP or user
Detection Strategies
- Monitor application logs for excessive /oauth2/authorization or similar endpoint requests from individual sessions
- Implement anomaly detection for session-based request patterns that exceed normal authorization flow initiation rates
- Track the ratio of initiated authorization requests to completed authorization callbacks per session
- Deploy application performance monitoring (APM) to identify resource consumption spikes correlated with OAuth endpoints
Monitoring Recommendations
- Configure alerting thresholds for session-based request rates to OAuth authorization endpoints
- Implement real-time monitoring of JVM heap usage and garbage collection frequency on affected applications
- Track and alert on pending authorization request counts per session or user
- Review access logs periodically for patterns consistent with DoS attack attempts
How to Mitigate CVE-2022-22969
Immediate Actions Required
- Upgrade Spring Security OAuth to version 2.5.2 or later immediately
- If immediate patching is not possible, implement rate limiting at the application or infrastructure level for authorization endpoints
- Consider migrating to Spring Security 5.x OAuth 2.0 Client support, as Spring Security OAuth is in maintenance mode
- Review and restrict authenticated access to OAuth Client applications where feasible
Patch Information
Pivotal has released Spring Security OAuth version 2.5.2 which addresses this vulnerability. Organizations should upgrade to this version or later. For detailed patch information, refer to the VMware CVE-2022-22969 Advisory. Oracle has also addressed this issue in their July 2022 Critical Patch Update for Oracle Communications Design Studio, documented in the Oracle July 2022 Security Alert.
Workarounds
- Implement rate limiting on authorization request endpoints using a web application firewall (WAF) or reverse proxy
- Configure session-level limits on the number of pending authorization requests
- Deploy infrastructure-level protections such as request throttling for authenticated endpoints
- Monitor and terminate sessions exhibiting abnormal authorization request patterns
# Example: Rate limiting OAuth authorization endpoints with nginx
# Add to nginx configuration for the affected application
location /oauth2/authorization {
# Limit requests per session/IP
limit_req zone=oauth_limit burst=10 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
# Define the rate limit zone in http context
# limit_req_zone $binary_remote_addr zone=oauth_limit:10m rate=5r/s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
