CVE-2022-24294 – CVE-2022-24294 is a regular expression denial-o... (How to Fix)

Q: What is the severity of CVE-2022-24294?

CVE-2022-24294 has a CVSS score of 7.5 (HIGH). CVE-2022-24294 is a regular expression denial-of-service (ReDoS) vulnerability in Apache MXNet that allows attackers to cause excessive CPU consumption by loading models with specially crafted operator names. This affects Apache MXNet versions prior to 1.9.1, potentially leading to service disruption for applications using vulnerable versions.

📋 TL;DR

CVE-2022-24294 is a regular expression denial-of-service (ReDoS) vulnerability in Apache MXNet that allows attackers to cause excessive CPU consumption by loading models with specially crafted operator names. This affects Apache MXNet versions prior to 1.9.1, potentially leading to service disruption for applications using vulnerable versions.

💻 Affected Systems

Products:

Apache MXNet (incubating)

Versions: All versions prior to 1.9.1

Operating Systems: All operating systems running Apache MXNet

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when loading models with specially crafted operator names. All default configurations are vulnerable.

📦 What is this software?

Mxnet by Apache

View all CVEs affecting Mxnet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with MXNet processes consuming 100% CPU resources, rendering affected services unavailable until process restart.

🟠

Likely Case

Degraded performance or temporary service unavailability when processing malicious models, requiring manual intervention to restore service.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though some performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - Exploitation requires ability to load models into MXNet, which typically requires some level of access or user interaction.

🏢 Internal Only: MEDIUM - Internal users or automated processes could inadvertently trigger the vulnerability with malicious models.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to load models into MXNet, which typically requires some level of access to the application. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.1

Vendor Advisory: https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o

Restart Required: Yes

Instructions:

1. Stop all MXNet services. 2. Upgrade Apache MXNet to version 1.9.1 or later using your package manager or from source. 3. Restart MXNet services. 4. Verify the version is 1.9.1 or higher.

🔧 Temporary Workarounds

Input validation for model loading

all

Implement strict validation of operator names in models before loading them into MXNet

# Custom validation script required - no standard command

Resource limiting

linux

Set CPU time limits on MXNet processes to prevent complete resource exhaustion

ulimit -t 300
# Set CPU time limit to 300 seconds

🧯 If You Can't Patch

Implement strict input validation for all model loading operations
Deploy resource monitoring and alerting for abnormal CPU consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Apache MXNet version: if version is less than 1.9.1, the system is vulnerable.

Check Version:

python -c "import mxnet; print(mxnet.__version__)"

Verify Fix Applied:

Verify Apache MXNet version is 1.9.1 or higher after upgrade.

📡 Detection & Monitoring

Log Indicators:

Excessive CPU usage logs
Process timeout or crash logs during model loading
Abnormally long model loading times

Network Indicators:

Increased response times from MXNet services
Service unavailability after model upload/loading

SIEM Query:

source="mxnet.logs" AND ("CPU usage" > 90% OR "timeout" OR "model loading")

📊 Metadata

CVE ID: CVE-2022-24294

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: July 24, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/07/24/2 Mailing List,Third Party Advisory
https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/07/24/2 Mailing List,Third Party Advisory
https://lists.apache.org/thread/b1fbfmvzlr2bbp95lqoh3mtovclfcl3o Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24294, you might also want to check these: