7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25897

GHSA ID

GHSA-fph9-f5r6-vhqf

EPSS Score

0.15846%

CWE

CWE-770

Published

9/15/2022

Updated

2/2/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25897

CVE-2022-25897: Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)

Impact

Denial of Service

Details

OPC UA specification describes a concept named Subscriptions. Subscriptions monitor a set of Monitored Items for Notifications and return them to the Client in response to Publish requests. The server notifies the client about changes only in case the value is changed. Each monitored item is configured on a subscription, each subscription is linked to a single OPC UA session. Most OPC UA implementations set many controls and limitations for excessive memory consumption. For example:

What is the maximum allowed number of concurrent sessions
For each active sessions - what is the maximum allowed number of concurrent subscription per a single session
For each active subscription - what is the maximum allowed number of concurrent monitored items per a single subscription

Clarity Research discovered a unique way to bypass those restrictions and fill up the OPC UA server process memory.

The close session request closes a connected session. A deleteSubscription flag is also sent in that message and determines whether the server should save the subscriptions for a future session reconnection or discard them upon session termination. If the deleteSubscription flag is False the server will store the subscriptions thus filling up the memory in an unlimited manner.

Sending multiple subscribe requests with multiple monitored items from multiple sessions will quickly fill up the process memory until the server crashes.

To trigger this bug all is needed is to create many sessions with subscriptions and monitored items without ever deleting the monitored items. Eventually these allocations will consume all the available process memory which will lead to a crash and denial of service condition.

Clarity PoC does:

while True:
    Open a valid OPC UA session
    Create multiple subscriptions
    Add monitored items to each subscription
    Close the session with the DeleteSubscriptions flag = False

Acknowledgement

We would like to thanks Vera Mens, Uri Katz, @sharonbrizinov of Team82 (Claroty Research) for this report.

For more information

If you have any questions or comments about this advisory:

Open an issue in Eclipse Milo repository
Email us at milo-dev

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25897

GHSA ID

GHSA-fph9-f5r6-vhqf

EPSS Score

0.15846%

CWE

CWE-770

Published

9/15/2022

Updated

2/2/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.milo:sdk-server	maven	< 0.6.8	0.6.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing per-session limits for monitored items. The pre-patch version of createMonitoredItems in SubscriptionManager.java only checked the global server-wide limit (getMaxMonitoredItems), allowing attackers to create multiple sessions each allocating the maximum allowed global items. The patch added a new getMaxMonitoredItemsPerSession check and session-level tracking (monitoredItemCount), confirming this was the vulnerable point. The function's lack of session-level throttling enabled the resource exhaustion attack vector when combined with session reuse (deleteSubscriptions=False).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **ni*l o* S*rvi** ### **t*ils OP* U* sp**i*i**tion **s*ri**s * *on**pt n*m** _Su*s*riptions_. _Su*s*riptions_ monitor * s*t o* _Monitor** It*ms_ *or _Noti*i**tions_ *n* r*turn t**m to t** _*li*nt_ in r*spons* to _Pu*lis*_ r*qu*sts. T**

Reasoning

T** vuln*r**ility st*ms *rom missin* p*r-s*ssion limits *or monitor** it*ms. T** pr*-p*t** v*rsion o* *r**t*Monitor**It*ms in Su*s*riptionM*n***r.j*v* only ****k** t** *lo**l s*rv*r-wi** limit (**tM*xMonitor**It*ms), *llowin* *tt**k*rs to *r**t* mult

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-25897: Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)

Impact

Details

Acknowledgement

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI