Description

Spring Framework, versions 5.0.x prior to 5.0.6 and versions 4.3.x prior to 4.3.17, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

This vulnerability exposes applications that meet all of the following requirements:

• Depend on spring-messaging and spring-websocket modules.
• Register STOMP over WebSocket endpoints.
• Enable the simple STOMP broker.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.5
• Spring Framework 4.3 to 4.3.16
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.6.
• 4.3.x users should upgrade to 4.3.17.
• Older versions should upgrade to a supported branch.

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd.

References

• Example <a href='https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable'&gt;STOMP over WebSocket config</a> where simple broker is enabled.
• <a href='https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/htmlsingle/#websocket'&gt;Spring…

Description

Spring Security in combination with Spring Framework 5.0.5.RELEASE contain an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Affected Spring Products and Versions

• Spring Framework 5.0.5.RELEASE and Spring Security (any version)
• Applications are only impacted if they use Spring Framework 5.0.5.RELEASE and Spring Security method security. The bug is present in Spring Framework 5.0.5.RELEASE, but is not considered a CVE unless combined with Spring Security’s method security support.
• The bug is present only in Spring Framework 5.0.5.RELEASE. If the application does not use Spring Framework 5.0.5.RELEASE then it is not impacted. The bug does not impact any Spring Framework 4.x versions or any other versions of Spring Framework.

Mitigation

• Users leveraging Spring Framework 5.x should avoid using Spring Framework 5.0.5.RELEASE. Updating to Spring Security 5.0.5.RELEASE+ or Spring Boot 2.0.2.RELEASE+ brings in Spring Framework 5.0.6.RELEASE+ transitively. However, users should be certain that other dependency management mechanisms are also updated to use Spring Framework 5.0.6.RELEASE or newer.
• Users leveraging Spring Framework 4.x (Spring Security 4.x or Spring Boot 1.x) are not impacted so no steps are necessary.
• There are no other mitigation steps required.

Credit

This issue was identified internally by the Spring Security Team.

History

2018-05-09: Initial vulnerability report published

• 2018-07-30: Clarifications on impacted versions

Description

Spring Data Commons, versions prior to 1.13 to 1.13.11 and 2.0 to 2.0.6 used in combination with XMLBeam 1.4.14 or earlier versions contain a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data’s projection-based request payload binding to access arbitrary files on the system.

Affected Spring Products and Versions

• Spring Data Commons 1.13 to 1.13.11 (Ingalls SR11)
• Spring Data REST 2.6 to 2.6.11 (Ingalls SR11)
• Spring Data Commons 2.0 to 2.0.6 (Kay SR6)
• Spring Data REST 3.0 to 3.0.6 (Kay SR6)

Mitigation

Users of affected versions should apply the following mitigation:

• 1.13.x users should upgrade to 1.13.12 (Ingalls SR12)
• 2.0.x users should upgrade to 2.0.7 (Kay SR7)
• Alternatively, upgrade to XMLBeam 1.4.15

Releases that have fixed this issue include:

• Spring Data REST 2.6.12 (Ingalls SR12)
• Spring Data REST 3.0.7 (Kay SR7)

There are no other mitigation steps necessary.

Note that the vulnerability is only exploitable when using XMLBeam. The use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Abago Forgans.

References

• <a href='https://jira.spring.io/browse/DATACMNS-1292'&gt;https://jira.spring.io/browse/DATACMNS-1292&lt;/a>
• <a href='https://docs.spring.io/spring-data/commons/docs/current/reference/html/#core.web.binding'&gt;Spring Data Commons: Web databinding support</a>
…

Description

Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

This vulnerability exposes applications that meet all of the following requirements:

• Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
• Use the default Approval Endpoint

This vulnerability does not expose applications that:

• Act in the role of an Authorization Server but override the default Approval Endpoint
• Act in the role of a Resource Server only (e.g. @EnableResourceServer)
• Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected Spring Products and Versions

• Spring Security OAuth 2.3 to 2.3.2
• Spring Security OAuth 2.2 to 2.2.1
• Spring Security OAuth 2.1 to 2.1.1
• Spring Security OAuth 2.0 to 2.0.14
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.3.x users should upgrade to 2.3.3
• 2.2.x users should upgrade to 2.2.2
• 2.1.x users should upgrade to 2.1.2
• 2.0.x users should upgrade to 2.0.15
• Older versions should upgrade to a supported branch

There are no other mitigation steps required.

Credit

This issue was identified and responsibly reported by Philippe Arteau from GoSecure.

References

• Spring Security OAuth <a href='http://projects.spring.io/spring-security-oauth/docs/oauth2.html'&gt;documentation&lt;/a&gt;, see section "Authorization Server Configuration"
• Example configuration for <a href='https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/approval/src/main/java/demo/Application.java#L36'&gt;@EnableAuthorizationServer&lt;/a…

Description

spring-integration-zip , versions prior to 1.0.1, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

This specifically applies to the unzip transformer.

This can only happen if an application using this library accepts and unpacks zip files from untrusted sources.

Affected Spring Products and Versions

• Spring Integration Zip Community Extension Project version 1.0.0.RELEASE

Mitigation

Users of affected versions should apply the following mitigation:

• Upgrade to the 1.0.1.RELEASE

Or do not unzip untrusted zip files.

Credit

This issue was identified and responsibly reported by the Snyk Security Research Team.

History

2018-05-09: Initial vulnerability report published

Description

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

Affected Spring Products and Versions

• Spring Cloud SSO Connector version 2.1.2

Mitigation

Users of affected versions should apply the following mitigation:

• Releases that have fixed this issue include:</p><ul><li>Spring Cloud SSO Connector: 2.1.3</li></ul>
• Alternatively, you can perform <u>one</u> of the following workarounds:</p><ul><li>Bind your resource server to the SSO service plan via a service instance binding</li><li>Set “sso.connector.cloud.available=true” within your Spring application properties</li></ul>

Credit

This vulnerability was responsibly reported by the Pivotal SSO Service team.

History

2018-04-30: Initial vulnerability report published

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
• Spring Data REST 3.0 to 3.0.5 (Kay SR5)
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.0.x users should upgrade to 2.0.6
• 1.13.x users should upgrade to 1.13.11
• Older versions should upgrade to a supported branch

Releases that have fixed this issue include:

• Spring Data REST 2.6.11 (Ingalls SR11)
• Spring Data REST 3.0.6 (Kay SR6)

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Philippe Arteau, GoSecure Inc.

References

• https://jira.spring.io/browse/DATACMNS-1282
• https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
• https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
• …

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Affected Spring Products and Versions

• Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
• Spring Data REST 3.0 to 3.0.5 (Kay SR5)
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.0.x users should upgrade to 2.0.6
• 1.13.x users should upgrade to 1.13.11
• Older versions should upgrade to a supported branch

Releases that have fixed this issue include:

• Spring Data REST 2.6.11 (Ingalls SR11)
• Spring Data REST 3.0.6 (Kay SR6)

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect.

References

• https://jira.spring.io/browse/DATACMNS-1285
• https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fbad
• https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee0
…

Description

This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, as well as older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.15
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.16
• Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This original issue CVE-2018-1270 was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify. The subsequent CVE-2018-1275 partial fix was identified and…

Description

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.15
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.16
• Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify.

References

• Example <a href='https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable'&gt;STOMP over WebSocket config</a> where simple broker is enabled.
• <a href='https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/htmlsingle/#websocket'&gt;Spring…