CVE-2021-33580: Apache Roller: regex injection leading to DoS

[Dave <snoopdave () gmail com>]

Severity: Low: This attack will only work if Banned-words Referrer
processing is turned on in Roller and it is off-by-default.

Description:

User controlled `request.getHeader("Referer")`,
`request.getRequestURL()` and `request.getQueryString()` are used to
build and run a regex expression.

The attacker doesn't have to use a browser and may send a specially
crafted Referer header programmatically. Since the attacker controls
the string and the regex pattern he may cause a ReDoS by regex
catastrophic backtracking on the server side.


Mitigation:

This problem has been fixed in Roller 6.0.2. If you are not able to
upgrade then you can "work around" the problem.

If Banned-Words Referrer processing is enabled and you are concerned
about this type of attack then disable it.

In the Roller properties, set this property
site.bannedwordslist.enable.referrers=false

Credit:

Apache Roller would like to thank Ed Ra (https://github.com/edvraa)
for reporting this.