CVE-2021-22097: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2021-22097 was discovered in Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, affecting the Spring AMQP Message object's toString() method. The vulnerability was disclosed on October 26, 2021, and involves the deserialization of message bodies with content type application/x-java-serialized-object, where classes in java.lang and java.util packages are trusted (Spring Security).

The vulnerability exists in the toString() method of the Spring AMQP Message object, which deserializes message bodies with content type application/x-java-serialized-object. The issue allows for the construction of a malicious java.util.Dictionary object that can trigger 100% CPU usage when the toString() method is called. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a denial of service condition by consuming 100% CPU usage in the application when the toString() method is called on a maliciously crafted message. The attack requires the attacker to have privileges to directly publish messages to the RabbitMQ server (Spring Security).

Users of affected versions should upgrade to Spring AMQP version 2.3.11 for 2.3.x users or version 2.2.19 for 2.2.x users. Additionally, it is recommended not to allow untrustworthy actors to publish arbitrary data to RabbitMQ. The vulnerability has been fixed in Spring AMQP versions 2.3.11 and 2.2.19 (Spring Security).

The vulnerability was identified and responsibly reported by r00t4dm Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department (Spring Security).