Spring released security advisories on May 9 local time for fixing its multiple vulnerabilities, including a critical remote code execution vulnerability.
Reference link: https://pivotal.io/security
Parts of Spring Framework versions allow application programs to use Spring message module to make public STOMP on WebSocket endpoint through simple memory STOMP broker. An attacker could send a specially designed message to the broker to launch denial of service attacks.
Applications become vulnerable when all of the following requirements are met:
- Depend on spring-messaging and spring-websocket modules.
- Register STOMP over WebSocket endpoint.
- Enable the simple STOMP broker
- Spring Framework 5.0 to 5.0.5
- Spring Framework 4.3 to 4.3.16
- Versions not supported anymore
Users affected by this vulnerability are advised to upgrade their systems to the following versions:
- 5.0.x users should upgrade to 5.0.6.
- 4.3.x users should upgrade to 4.3.17.
- Older versions should upgrade to a supported branch.
Reference link: https://pivotal.io/security/cve-2018-1257
Spring Security in combination with Spring Framework 5.0.5.RELEASE contain an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
- Spring Framework 5.0.5.RELEASE + Spring Security (any version)
Users leveraging Spring Security’s method security should ensure they are using Spring Framework 5.0.6.RELEASE or newer.
Reference Link: https://pivotal.io/security/cve-2018-1258
Parts of Spring Data Commons versions have external entity reference vulnerability. Unauthenticated remote malicious users could supply specially crafted request parameters against Spring Data’s projection-based request payload binding to access arbitrary files on the system. This vulnerability has impact on users using XMLBeam. The use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.
- Spring Data Commons 1.13 to 1.13.11 (Ingalls SR11)
- Spring Data REST 2.6 to 2.6.11 (Ingalls SR11)
- Spring Data Commons 2.0 to 2.0.6 (Kay SR6)
- Spring Data REST 3.0 to 3.0.6 (Kay SR6)
Users affected by this vulnerability should upgrade their system to the following versions:
- 1.13.x users should upgrade to 1.13.12 (Ingalls SR12)
- 2.0.x users should upgrade to 2.0.7 (Kay SR7)
- Alternatively, upgrade to XMLBeam 1.4.15
- Spring Data REST 2.6.12 (Ingalls SR12)
- Spring Data REST 3.0.7 (Kay SR7)
Reference link: https://pivotal.io/security/cve-2018-1259
Parts of Spring Security OAuth versions contain a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.
This vulnerability has impact on applications that meet all of the following requirements:
- Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
- Use the default Approval Endpoint
This vulnerability does not expose applications that:
- Act in the role of an Authorization Server but override the default Approval Endpoint
- Act in the role of a Resource Server only (e.g. @EnableResourceServer)
- Act in the role of a Client only (e.g. @EnableOAuthClient)
- Spring Security OAuth 2.3 to 2.3.2
- Spring Security OAuth 2.2 to 2.2.1
- Spring Security OAuth 2.1 to 2.1.1
- Spring Security OAuth 2.0 to 2.0.14
- Versions not supported anymore
Users affected by this vulnerability are advised to upgrade their systems the following versions:
- 2.3.x users should upgrade to 2.3.3
- 2.2.x users should upgrade to 2.2.2
- 2.1.x users should upgrade to 2.1.2
- 2.0.x users should upgrade to 2.0.15
Older versions should upgrade to a supported branch.
Reference link: https://pivotal.io/security/cve-2018-1260
Some versions of Spring-integration-zip contains an arbitrary file writing vulnerability that could be exploited using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
This can only happen if an application using this library accepts and unpacks zip files from untrusted sources.
- Spring Integration Zip Community Extension Project version 1.0.0.RELEASE
Users affected by this vulnerability should upgrade their system to the following version
- 1.0.1.RELEASE ：
Or do not unzip untrusted zip files.