Spring Security Advisories

CVE-2015-5211 RFD Attack in Spring Framework

HIGH | OCTOBER 15, 2015 | CVE-2015-5211

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

For details and concrete examples see the very helpful RFD paper from Trustwave.

CVE-2015-3192 DoS Attack with XML Input

LOW | JUNE 30, 2015 | CVE-2015-3192

XML external entities were previously disabled with the publication of http://pivotal.io/security/cve-2013-6429. If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

This is now done in the Spring Framework by default wherever the framework sets up XML parsing from external sources. Mainly this includes the Unmarshaller implementations in spring-oxm and the HttpMessageConverter implementations in spring-web.

Note that further actions may need to be taken by applications in particular where use of StAX is concerned. For example IBM JDK 1.6 and 1.7 require an environment variable in addition to setting supportDTD=false (see IBM JDK reference). Moreover we’ve found that supportDTD alone does not protect against all kinds of DoS attacks with JDK JAXP implementations. Hence we recommend using the Woodstox open source library for StAX parsing.

The following describes when StAX is used in the Spring Framework:

  • SourceHttpMessageConverter -- enabled by default. The converter was added in 3.2 while StAX support was added in 4.0.1 and is used when converting to Spring MVC controller method argument of type javax.xml.transform.stax.StAXSource.
  • Jaxb2CollectionHttpMessageConverter -- not enabled by default. This converter was added in 3.2.
  • MappingJackson2XmlHttpMessageConverter -- enabled when “jackson-dataformat-xml” is present on the classpath. This converter was added in 4.1.

CVE-2015-0201 Insufficiently random session id in Java SockJS client

LOW | MARCH 06, 2015 | CVE-2015-0201

Session id generation in the Java SockJS client is not sufficiently secure and could allow a user to send messages to another user’s session.

Note that this only affects users of the Java SockJS client, which generates its own session id. It does not affect browser clients even if they’re connecting to the same server.

Furthermore, since SockJS is a transport layer, when using a higher level messaging protocol on top such as STOMP over WebSocket with the spring-messaging module, application-level security may already be getting applied to STOMP messages and that can neutralize the impact of any potential attacks.

CVE-2014-3527 Access Control Bypass in Spring Security

HIGH | AUGUST 15, 2014 | CVE-2014-3527

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request.

This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed.

If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

CVE-2014-1904 XSS when using Spring MVC

MEDIUM | MARCH 11, 2014 | CVE-2014-1904

When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form.

CVE-2014-0054 Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)

HIGH | MARCH 11, 2014 | CVE-2014-0054

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all