Tech Note on CVE 2022-22970 – DoS with Multi-Part File Uploads (Spring Framework 4)
RapidMiner is potentially affected by CVE 2022-22970 in two areas:
Uploading a Project as a ZIP file
Uploading a Real-Time Scoring Agent deployment as a ZIP file.
What is the risk?
A fully authenticated and authorized user of RapidMiner AI Hub may potentially deny service to the RapidMiner AI Hub by crashing the JVM by exploiting the multi-part upload(s) listed above.
As both functions listed above are only available to fully authenticated and authorized users, there is no risk from anonymous users or from authenticated users who do not have permissions for those functions.
No additional permissions are granted. The DoS exploit would not provide unauthorized data access.
Restarting the JVM or container would remedy the attack.
How can the attack be mitigated?
To exploit CVE 2022-22970, you must be both a RapidMiner user and also have the Analyst Role assigned.
To mitigate the exploit, users can have the Analyst role removed which will prevent users from accessing the affected endpoints.
When will this vulnerability be patched?
- The offending libraries (Spring Framework 4) are being removed in RapidMiner AI Hub 10, slated for release in October.
Because this attack does not result in elevated privileges and does not provide access to any data for which the user is not already authorized, the risk from this exploit is low. As recovering the service involves a simple service restart, we also do not recommend removing the Analyst role except if required by your security team. You may contact RapidMiner for any additional details.