7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26477

GHSA ID

GHSA-m43h-hfrq-x8wx

EPSS Score

0.91108%

CWE

CWE-400

Published

6/28/2022

Updated

10/28/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-26477

CVE-2022-26477: SystemDS CPU exhaustion vulnerability

The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26477

GHSA ID

GHSA-m43h-hfrq-x8wx

EPSS Score

0.91108%

CWE

CWE-400

Published

6/28/2022

Updated

10/28/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.systemds:systemds	maven	< 2.2.2	2.2.2
systemds	pip	>= 0, < 2.2.2	2.2.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the readExternal method's loop termination condition as the root cause. In Java serialization, readExternal is used for custom deserialization logic. The advisory specifies that an attacker could tamper with the variable controlling the loop iteration count, which matches the pattern of CWE-400 (uncontrolled resource consumption). While the exact class/path isn't provided, the method name (readExternal) and context (serialization/deserialization in a distributed system) strongly suggest it's part of a class handling matrix/data serialization, a core component in SystemDS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** S**urity T**m noti*** t**t t** t*rmin*tion *on*ition o* t** *or loop in t** r****xt*rn*l m*t*o* is * *ontroll**l* v*ri**l*, w*i**, i* t*mp*r** wit*, m*y l*** to *PU *x**ustion. *s * *ix, w* ***** *n upp*r *oun* *n* t*rmin*tion *on*ition in t** r*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** r****xt*rn*l m*t*o*'s loop t*rmin*tion *on*ition *s t** root **us*. In J*v* s*ri*liz*tion, r****xt*rn*l is us** *or *ustom **s*ri*liz*tion lo*i*. T** **visory sp**i*i*s t**t *n *tt**k*r *oul* t*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-26477: SystemDS CPU exhaustion vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI