CVE-2021-22097

Name of the Vulnerable Software and Affected Versions Spring AMQP versions 2.2.0 through 2.2.18 Spring AMQP versions 2.3.0 through 2.3.10

Description The issue arises from the Spring AMQP Message object's toString() method, which deserializes a body for a message with content type application/x-java-serialized-object. This allows for the construction of a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. Additionally, the method can create a new String object from the message body, regardless of its size, potentially leading to an OOM Error with large messages.

Recommendations For Spring AMQP versions 2.2.0 through 2.2.18, consider disabling the toString() method for the Spring AMQP Message object until a patch is available. For Spring AMQP versions 2.3.0 through 2.3.10, restrict the use of the toString() method for the Spring AMQP Message object to prevent potential CPU usage issues and OOM Errors.