RCE in PATCH requests in Spring Data REST

CRITICAL | SEPTEMBER 21, 2017 | CVE-2017-8046

Description

Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.

Affected Spring Products and Versions

Spring Data REST:

  • 3.0.0 - 3.0.0
  • 2.6.0 - 2.6.8

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
3.0.1OSS
2.6.9OSS

No further mitigation steps are necessary.

Credit

This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.

History

  • 2017-09-21: Initial vulnerability report published.
  • 2018-03-06: Corrected affected and fixed versions

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all