CVE-2022-31781
📋 TL;DR
Apache Tapestry versions up to 5.8.1 contain a Regular Expression Denial of Service (ReDoS) vulnerability in the ContentType class. Attackers could cause catastrophic backtracking by passing specially crafted content types, consuming excessive CPU resources. This primarily affects applications with non-Tapestry code passing external input to the ContentType constructor.
💻 Affected Systems
- Apache Tapestry
📦 What is this software?
Tapestry by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through CPU exhaustion, potentially crashing the application server and disrupting service availability.
Likely Case
Degraded application performance and intermittent service disruptions when malicious content types are processed.
If Mitigated
Minimal impact if input validation prevents malicious content types from reaching the vulnerable code path.
🎯 Exploit Status
Exploitation requires specific conditions: non-Tapestry code must pass crafted input to ContentType constructor. No direct web request exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Tapestry 5.8.2
Vendor Advisory: https://www.openwall.com/lists/oss-security/2022/07/12/3
Restart Required: Yes
Instructions:
1. Upgrade Apache Tapestry to version 5.8.2 or later. 2. Update dependencies in your project configuration. 3. Rebuild and redeploy your application. 4. Restart application servers.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to reject or sanitize content type strings before they reach the ContentType constructor
Rate Limiting
allImplement rate limiting on endpoints that could pass content type data to prevent DoS attacks
🧯 If You Can't Patch
- Implement strict input validation for all content type parameters in custom code
- Monitor CPU usage and implement circuit breakers for ContentType processing
🔍 How to Verify
Check if Vulnerable:
Check your project's pom.xml or build.gradle for Apache Tapestry dependency version. If version is 5.8.1 or lower, you are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep tapestry. For Gradle: gradle dependencies | grep tapestry.Verify Fix Applied:
After upgrade, verify the Apache Tapestry version is 5.8.2 or higher in your dependency management file.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Slow response times from ContentType processing
- Application server thread exhaustion warnings
Network Indicators:
- Unusual content type headers in requests
- Repeated requests with varying content type parameters
SIEM Query:
source="application_logs" AND ("ContentType" OR "content-type") AND (cpu_usage>90 OR response_time>5000)