The Hacker NewsTHN:D7C30FB307A1DC524FADFFBF2D1BEAB1Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.86 High
EPSS
Percentile
98.2%
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it.
Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications.
In an advisory released today by Pivotal, the company detailed following three vulnerabilities discovered in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions:
- Critical: Remote Code Execution with spring-messaging (CVE-2018-1270)
- High: Directory Traversal with Spring MVC on Windows (CVE-2018-1271)
- Low: Multipart Content Pollution with Spring Framework (CVE-2018-1272)
Vulnerable Spring Framework versions expose STOMP clients over WebSocket endpoints with an in-memory STOMP broker through the ‘spring-messaging’ module, which could allow an attacker to send a maliciously crafted message to the broker, leading to a remote code execution attack (CVE-2018-1270).
“The use of authentication and authorization of messages, such as the one provided by Spring Security, can limit exposure to this vulnerability only to users who are allowed to use the application,” the company suggests.
The second bug (CVE-2018-1271) resides in Spring’s Web model-view-controller (MVC) that allows attackers to execute directory traversal attack and access restricted directories when configured to serve static resources (e.g., CSS, JS, images) from a file system on Windows.
This vulnerability doesn’t work if you are not using Windows to serve content and can be avoided if you don’t serve files from the file system or use Tomcat/WildFly as the server.
Pivotal has released Spring Framework 5.0.5 and 4.3.15, which include fixes for all the three vulnerabilities. The company has also released Spring Boot 2.0.1 and 1.5.11, that match the patched Spring Framework versions.
So developers and administrators are highly recommended to upgrade their software to the latest versions immediately.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.86 High
EPSS
Percentile
98.2%